Enabling SSO with AD

The implementation of single sign-on by Kerberos in OTOBO enables seamless and secure authentication, especially in AD environments. This process massively simplifies the login experience for users, eliminating the need to re-enter credentials by automatically logging them in with their Microsoft credentials.

For SSO, you first need to create an AD user account that will be used for SSO authentication. Assigning usernames that follow a specific pattern, such as HTTP/<domain> , is important. Make sure you use capital letters for the HTTP/ part (as expected by Kerberos) and ensure the domain name is an A record and not a CNAME record. Now use the ktpass tool on a domain controller to create a .keytab file for the user you just created; this file is needed later in the OTOBO configuration to enable Kerberos authentication.

Next, you need to prepare NGINX and the OTOBO containers by creating a new directory and a volume for the NGINX configuration on your OTOBO server. Move the .keytab file to the directory you created previously and configure the container's NGINX settings to use Kerberos authentication. In your OTOBO configuration file (Kernel/Config.pm), you now need to stipulate that you want to use Kerberos for authentication by copying the configuration lines that define this from the default configuration (Defaults.pm).

You also need to change some browser configurations for Kerberos SSO. For Chrome, Edge, and Internet Explorer, you need to add OTOBO to the local or trusted sites and enable the setting Enable Integrated Windows Authentication . In Firefox, you need to set network.negotiate-auth.trusted-uris to the OTOBO URL.

Kerberos SSO requires precisely defined settings and the correct configuration of all components. If problems occur, check the container status, the NGINX configuration, and the setup details in Kerberos and Active Directory.

Conclusions

OTOBO is a technologically advanced ticketing and help desk system. Thanks to regular development, the application is a genuine alternative to more established products. Seamless Active Directory integration, the ability to access email from Microsoft 365 by OAuth 2.0, and single sign-on exemplify OTOBO's extensive range of services and illustrate its remarkable ability to adapt to a wide variety of requirements and IT environments.

The software's open architecture is particularly worthy of praise: Existing features can be extended or reconfigured to suit your needs, while supporting integration with a wide range of third-party systems and technologies.