Configuring Single Sign-On for IBM SPSS Modeler 18.5 Using Kerberos Authentication
This blog (cowritten with Harshavardhan Changappa) is about how to configure Single Sign on between spss modeler client and modeler server on windows
IBM SPSS Modeler utilizes Kerberos for Single Sign-On (SSO). Kerberos serves as a fundamental element of Windows Active Directory(AD) infrastructure. Specifically for Windows:
To Know more about IBM SPSS Modeler: https://www.ibm.com/docs/en/spss-modeler/18.5.0
- The client computer operates on Windows and is integrated into an Active Directory domain.
- The client user has logged into the computer using a domain account. The method of login, whether it’s through a smart card, fingerprint, etc., is inconsequential.
- IBM SPSS Modeler Server can authenticate the client user’s credentials by consulting the Active Directory domain controller.
This documentation elucidates the configuration process for Windows servers to enable authentication.
“With the completion of the Single Sign-On (SSO) setup, users logging into the Modeler client machine from Active Directory (AD) can seamlessly authenticate to the Modeler server through the Modeler thick client. This eliminates the need for users to manually input credentials for accessing the Modeler server.”
In this document, we have utilized three windows machines: one for Active Directory (AD), one for the Modeler client and another for the Modeler server.
The following steps outline the SSO setup process for each machine.
Windows Active Directory Configuration:
Setting up AD on a New Machine:
AD Server Installation Procedure:
- Begin by opening Server Manager.
- In Server Manager, navigate to “Manage” > “Add Roles and Features.”
- Proceed by clicking “Next” on the “Before you Begin” screen.
- Choose “Role-based or feature-based installation” and click “Next.”
- Select the server where you intend to install Active Directory Domain Services (AD DS), then click “Next.”
- In the “Server Roles” step, select “Active Directory Domain Services” and follow the prompts to add any required features.
- Continue through the wizard by clicking “Next” until you reach the confirmation step.
- Proceed with the installation.
- Upon successful installation, a confirmation message similar to the following will be displayed:
- This confirms the successful setup of Active Directory on the specified Windows Server.
Navigate to the Home section of Server Manager.
- Locate and click on the Yellow warning icon.
- Select “Promote this server to a domain controller.”
- Choose the option to “Add a new Forest.”
- Enter the desired domain name for the new domain, which other machines will join during the Single Sign-On (SSO) process.
- Provide a Directory Services Restore Mode (DSRM) Password and make a note of it for future reference. Then, click “Next.”
- Review and, if necessary, modify the automatically generated netBIOS domain name (different from the root Domain Name).
- Verify the paths and click “Next.”
- Review the provided options and click “Next.”
- Once all prerequisite checks pass successfully, click “Install.”
- Allow the system to restart.
- After restart, open Windows PowerShell and run the following commands to verify,
# To display the DNS root (realm) of the current Active Directory domain:
Get-ADDomain | Select-Object -ExpandProperty DNSRoot#To verify all three machines are under one Root Domain:
# replace with your domain name at the end
nslookup -type=SRV _kerberos._tcp.SPSS.VT.COMEnsure all the windows machines must be under same Root Domain:
- Change the Domain of the Modeler client machine and Modeler server machine:
- First, change the DNS server IP address:
- Go to Control Panel > Network and Internet > Network and Sharing Center.
- Click on “Change adapter settings,” then select the connection and click “Properties.”
- Under Internet Protocol version (IPv4 or IPv6), change the preferred DNS server to the AD server’s IP address.
- Change the Domain name from System:
- Go to Control Panel > System and Security > System.
- Click on “Change settings” next to “Computer name, domain, and workgroup settings.”
- Click on “Change” under “Computer Name.”
- Select “Domain” and input the root domain name.
- Follow the prompts to provide administrator credentials when prompted.
- Restart the systems.
Set Service Principal Name (SPN) using Windows PowerShell:
# setspn -s {servicePrincipalName}/{host}:{port} {alias}
setspn -s modelerserver/c43589v1.spss.vt.com:28061 c43589v1Create Users in Active Directory:
- Go to Server Manager > Tools > Active Directory Users and Computers > Users.
- Right-click, then select “New” > “User.”
Modeler Server Configuration:
Setting up Modeler Server on a New Machine:
- Download the latest version of Modeler Server and install it after unzipping the downloaded file.
- Navigate to the config folder of the IBM SPSS Server installation location.
- Create a folder named “sso” in the config folder.
- Inside the “sso” folder, create the following files:
krb5.conf: create new file and refer below example to edit the file
[libdefaults]
default_realm = spss.vt.com
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
SPSS.VT.COM = {
kdc = c58321v1.spss.vt.com:88
admin_server = c58321v1.spss.vt.com:749
default_domain = spss.vt.com
}
[domain_realm]
.modelersso.com = spss.vt.com
modelersso.com = spss.vt.comNote :
- Domain name is the AD domain that you created.
- To find the Key Distribution Center (KDC) server name on the Active Directory (AD) server using Windows PowerShell, you can use the nslookup command with the -type=SRV parameter. Here’s how:
Open Windows PowerShell on the AD server.
Run the following command:
nslookup -type=SRV _kerberos._tcp.SPSS.VT.COM
This command will query the DNS server for the SRV record associated with the Kerberos service (_kerberos._tcp.SPSS.VT.COM). The result will include the hostname and port number of the KDC server(s).
Note the hostname(s) listed under "svr hostname". This is the KDC server name(s) that clients will use for Kerberos authentication.krb5.keytab: Use the following command format to create this file:
<MODELERSERVER Installation folder>\jre\bin\ktab -a <spn>@<realm> -k krb5.keytab
# This is an example in how to run command to create keytab file
# Run from sso folder
"..\..\jre\bin\ktab.exe" -a modelerserver/c43589v1.spss.vt.com:28061@SPSS.VT.COM -k krb5.keytab- Check if the instance is included in the keytab using the command:
“..\..\jre\bin\ktab.exe” -l -e -k krb5.keytab - Check the Windows Firewall with Advanced Security:
- Verify the Inbound Rule for Modeler Server.
- Add a new rule if possible to allow connections from outside.
- Specify port 28061 for the 18.5 Modeler version.
- Start the Server.
Modeler client Configuration:
Setting up Modeler Client on a New Machine:
- Download the latest version of Modeler Client and install it after unzipping the downloaded file.
Kerberos Configuration :
- Enable Java to access the TGT session key:
- Press Win + R to open the Run dialog.
- Type regedit and press Enter to open the Registry Editor.
- Navigate to the following registry location: Computer\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
- Right-click the folder and select New > DWORD. Name the new value allowTGTsessionkey.
- Set the value of allowtgtsessionkey to 1 (hexadecimal value: 0x0000001).
- In the config folder of the IBM® SPSS® Modeler installation location, create folder called SSO.
Inside the “sso” folder, create the following file:
krb5.conf: Copy this file from the <SPSS Modeler-Server installation folder>/config/sso folder.
Adding AD Users to Remote Desktop Users:
- Open Computer Management > Local users and groups > Groups > Remote Desktop Users properties > Add.
Test the Functionality of Modeler
with sso connection:
- Login Modeler Client machine with AD user.
- Open Modeler Client and go to Server Login.
- Server Name: Modeler Server full machine name (e.g., c43589v1.spss.vt.com)
- Set Credentials option should be Disabled for SSO
- Click OK
- You will see the successfull connection to remote server on bottom left corner.
Conclusion:
This completes the Single Sign-On (SSO) setup. Now, when a Windows Active Directory (AD) user logs into the Modeler client machine, they can authenticate to the Modeler server through the Modeler thick client without needing to input user credentials for the Modeler server.
