Deploying CTERA Agent via
Microsoft Active Directory
and Single Sign On
Cloud Attached
Storage®
September 2015
Version 5.0
Copyright © 2009-2015 CTERA Networks Ltd.
All rights reserved. No part of this document may be reproduced in any form or by any
means without written permission from CTERA Network Ltd.
Information in this document is subject to change without notice and does not represent a
commitment on part of CTERA Networks Ltd.
CTERA, C200, C400, C800, P1200, CloudPlug, NEXT3, Cloud Attached Storage, and Virtual
Cloud Drive are trademarks, service marks, or registered trademarks of CTERA Networks Ltd.
All other product names mentioned herein are trademarks or registered trademarks of their
respective owners.
The products described in this document are protected by U.S. patents, foreign patents, or
pending applications.
1
Introduction
This document explains how to centrally deploy CTERA Agent via Microsoft Active Directory.
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
1
2
Centrally Installing CTERA Agent
via Active Directory
You can centrally install CTERA Agent on multiple computers via Microsoft Active Directory.
The following procedure describes installation using a Windows 2008 Active Directory
domain. It is relevant for both Windows Server 2008 and Windows Server 2012.
To centrally install CTERA Agent via Active Directory
1 Prepare the CTERA Agent installation file for central use, by doing the following:
a On the Active Directory machine, create a shared folder called Agent under C:\.
b Copy the CTERA Agent installation file to the new folder.
c Right-click on the folder, then click Properties.
The Properties dialog box appears displaying the General tab.
d Click the Sharing tab.
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
3
2
Centrally Installing CTERA Agent via Active Directory
The Sharing tab appears.
e Click Share.
The File Sharing dialog box appears.
f
For each user or user group for which you would like to install CTERA Agent, do the
following:
1 Specify the desired user/group, either by typing the user/group's name in the
field, or by clicking the drop-down list arrow and then clicking Find people.
To enable installing CTERA Agent for all users/groups, type "Everyone".
2 Click Add.
The user/group appears in the file sharing list.
4
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
Centrally Installing CTERA Agent via Active Directory
2
3 In the user/group's row, click on the arrow in the Permission Level column, then
click Read.
g Click Share.
The File Sharing dialog box displays a success message.
h Click Done.
i
Click Close.
2 Create a policy that controls the installation of CTERA Agent, by doing the following:
a In the START menu, click Administrative Tools, and then click Group Policy
Management.
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
5
2
Centrally Installing CTERA Agent via Active Directory
The Group Policy Management Console opens.
This console enables you to create domain-wide policies or policies for specific
organizational units.
b In the navigation pane, right-click on the domain or organizational unit for which you
want to create the policy, then click Create a new GPO in this domain and Link it
here.
The New GPO dialog box appears.
c In the Name field, type a name for the policy.
For example, "Agent 5.0".
d Click OK.
e In the navigation pane, click on the policy you created.
6
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
Centrally Installing CTERA Agent via Active Directory
2
The policy appears in the right pane.
f
In the Security Filtering area, for each user or user group for which you would like to
install CTERA Agent, do the following:
1 Click Add.
The Select User, Computer, or Group dialog box appears.
2 In the Enter the object name to select area, type the name of the user/group.
To enable installing CTERA Agent for all users/groups, type Everyone.
3 Click OK.
g In the navigation pane, right-click on the policy you created, then click Edit.
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
7
2
Centrally Installing CTERA Agent via Active Directory
The Group Policy Management Editor opens.
h In the navigation pane, expand User Configuration > Policies > Software Settings.
i
Right-click Software Installations, then click New > Package.
The Open dialog box appears.
j
8
Specify the network location of the shared folder containing the CTERA Agent
installation file, which you created in step 1.
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
Centrally Installing CTERA Agent via Active Directory
2
You can view the network location of the shared folder in the folder's Properties
dialog box, in the Sharing tab.
k Click Open.
The Deploy Software dialog box appears.
l
Choose Assigned.
This option ensures that when a user or group specified in the policy's Security
Filtering area logs in to the domain, CTERA Agent will automatically be installed on
their computer.
m Click OK.
3 Add the ctera-agent.adm file to Domain Group Policy as an administrative template,
by doing the following:
Tip
This file contains the agent deployment settings.
a Open the Group Policy Object Editor.
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
9
2
Centrally Installing CTERA Agent via Active Directory
b In the navigation pane, right-click on Administrative Templates, then click
Add/Remove Templates.
The Policy Templates window opens.
c Select the ctera-agent.adm file and click Open.
10
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
Centrally Installing CTERA Agent via Active Directory
2
The Enable CTERA Agent automatic deployment Properties dialog box opens.
d In the Sign into server field, type the fully qualified DNS name of the CTERA Portal or
appliance to which the CTERA Agent should connect.
e Click OK.
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
11
3
Configuring Active Directory for
Single Sign On with CTERA Portal
Once you have configured centralized installation of CTERA Agent via Active Directory (as
described in the previous procedure), you can also configure single sign on with the CTERA
Portal, using the Kerberos protocol. When single sign on is configured, CTERA Agents will
automatically and transparently authenticate to the CTERA Portal using their Active Directory
credentials, upon first login to the PC on which they are installed.
A service principal name (SPN) account on Active Directory uniquely identifies an instance of
a service. Before the CTERA Portal can use Kerberos authentication, you must register the
SPN on the account object that the CTERA Portal uses to log on and then create a keytab file.
This procedure requires CTERA Agent 5.0 and CTERA Portal 5.0 or later.
To configure Active Directory for single sign on with CTERA Portal
1 If you are using Windows 2003 Server, and Windows Support Tools are not yet installed,
install them.
You must have access to these tools, in order to run the ktpass command later in this
procedure.
For more information, see: http://technet.microsoft.com/library/cc755948.aspx
2 Log in to the Windows Domain Controller as an administrator.
3 Create a new account for CTERA Portal, by doing the following:
a Open Active Directory Users and Computers.
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
13
3
Configuring Active Directory for Single Sign On with CTERA Portal
b Right-click on the name of the domain to which you want to add the user, then click
New > User.
The New Object - User dialog box appears.
c In the User logon name area, type "cteraportal" in the first field, then specify the
domain in the second field.
For example, in the domain field, you could type "@example.com".
d Click Next.
14
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
Configuring Active Directory for Single Sign On with CTERA Portal
3
The following dialog box appears.
e In the Password and Confirm password fields, type a password for the user.
For example, "password123".
f
Clear the User must change password at next logon check box.
g Select the User cannot change password and Password never expires check boxes.
h Click Next.
The following dialog box appears.
i
Click Finish.
4 Map the service principal name to the "cteraportal" user account that you created and
generate a keytab file, by running the following command on the domain controller:
ktpass –princ SPN -out path_to_keytab -mapuser domain\account_name -mapOp set –
pass account_password
Where:
SPN is the Kerberos service principal name.
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
15
3
Configuring Active Directory for Single Sign On with CTERA Portal
For example: cttp/[email protected]
The SPN syntax is cttp/portal_full_DNS_name@Active_Directory_realm
path_to_keytab is the path where you want to store the generated keytab file.
For example, c:\cteraportal.keytab
domain is the domain NetBIOS name.
For example, MYEXAMPLE.
account_name is the service account name.
For example, cteraportal
account_password is the password associated with the service account.
For example, password1234
For example:
ktpass -princ cttp/”SERVER FQDN”@”DOMAIN FQDN” -mapuser
ctera_portal@”DOMAIN FQDN” -mapOp set -pass PASSWORD -out
c:\temp\ctera_portal.keytab
16
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
4
Configuring SSO on the CTERA
Portal
The final stage in deploying CTERA Agent with Microsoft Active Directory is to configure SSO
on the CTERA Portal.
To configure SSO on the CTERA Portal
1 Enable the keytab file on the CTERA Portal, by doing the following:
a Open a terminal to the CTERA Portal, and log in as root.
b Copy the keytab file from the Active Directory server to the CTERA Portal server.
c Run the following command:
ctera-keytab.sh keytabfile
2 Add the Active Directory server to the CTERA Portal, by doing the following:
a Log in as portal administrator, and access the CTERA Portal Global Administration
View.
b In the navigation pane, click Users > Directory Services.
The Users > Directory Services page appears.
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
17
4
Configuring SSO on the CTERA Portal
The Directory Services Settings dialog box opens.
c Select the Enable directory synchronization check box.
d In the Directory Type field, select Active Directory.
e In the Domain field, type the Active Directory domain.
f
In the Username field, type the username for the Active Directory URL.
g In the Password field, type the password for the Active Directory URL.
h Select the Use Kerberos check box.
i
Click Next till you reach the end of the wizard.
j
Click Finish.
SSO is now configured on the CTERA Portal.
18
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
5
Troubleshooting
Follows these troubleshooting steps, if you are experiencing problems deploying CTERA
Agent via Active Directory:
1 Kerberos requires the clocks of the relevant hosts to be synchronized. Ensure that the
CTERA Portal server's clock is synchronized with the Active Directory clock, preferably by
synchronizing the CTERA Portal server's clock with an NTP.
2 Check that the Active Directory Kerberos realm (for example, "@mycompany.com")
matches the CTERA Portal's DNS suffix (for example, "mycompany.com").
3 Check that the Active Directory email pattern includes only lowercase letters.
4 Check that the keytab file name includes only lowercase letters.
Cloud Attached Storage® Deploying CTERA Agent via Microsoft Active Directory and Single Sign On
19