{"id":3672,"date":"2014-03-27T08:06:00","date_gmt":"2014-03-27T07:06:00","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/"},"modified":"2014-03-27T08:06:00","modified_gmt":"2014-03-27T07:06:00","slug":"kerberos-sso-with-documentum-d2-31-sp1","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/","title":{"rendered":"Kerberos SSO with Documentum D2 3.1 SP1"},"content":{"rendered":"<p>Last week, when I was working on how to setup the Kerberos SSO for D2 3.1 SP1, I faced some issues due to a documentation that doesn\u2019t seem to be up to date\u2026 In fact, our version is D2 3.1 SP1 and there is no specific documentation for SP1. In consequence, I read the D2 3.1 Installation Guide and the D2 4.0 Installation Guide. The first time I read the D2 3.1 documentation, I found it very light and I knew I would have some problems. Fortunately, I already had experience with Kerberos, essentially with the MIT distribution on Linux (how to setup a KDC, kerberize an application, manage users, etc.).<\/p>\n<p>The first thing that is important to know is that as D2 isn\u2019t a WDK client, the setup of the SSO using Kerberos just involves the D2 host server and the Active Directory server. There is no need to setup the Content Store to use Kerberos. So here is the configuration that were used:<\/p>\n<ul>\n<li>Microsoft Active Directory on Windows Server 2008 R2. Let\u2019s name this server ad001 and the related domain domain.com<\/li>\n<li>D2 3.1 SP1 on Microsoft Server 2008 R2. Let\u2019s name this server wd231<\/li>\n<\/ul>\n<p>The second thing that is important to know is that not all Directory Servers are supported. Indeed, Documentum doesn&#8217;t support Linux Key Distribution Center (KDC).<\/p>\n<h3>1. D2 3.1 documentation steps<\/h3>\n<p>The first part of this blog will describe which steps the official D2 3.1 Installation Guide provides to help Administrator to setup a SSO using Kerberos in D2. You will see that those steps aren\u2019t very descriptive but with a little bit of imagination, you could do something with that.<\/p>\n<h4>a. Edit the shiro.ini file<\/h4>\n<p>Open the file shiro.ini and add the following lines:<\/p>\n<pre class=\"brush: actionscript3; gutter: true; first-line: 1\">[main] \nD2-Kerberos=eu.c6.d2.web.filters.authc.D2KerberosHttpAuthenticationFilter \nD2-Kerberos.servicePrincipal=HTTP\/computerName.domainName \nD2-Kerberos.krbConfLocation=C:\/Windows\/krb5.ini \nD2-Kerberos.keyTabLocation=C:\/computerName.keytab \nD2-Kerberos.docbases=docbase1,login1,password1,domain1|docbase2,... \nD2-Kerberos.debug=true \n[urls] \n\/** = D2-Kerberos<\/pre>\n<p>&nbsp;<\/p>\n<h4>b. On the AD<\/h4>\n<p>Create a user on the AD with the computer name of your application server and add the following options:<\/p>\n<ul>\n<li>Use Kerberos DES encryption types for this account<\/li>\n<li>This account supports Kerberos AES 128 bit encryption<\/li>\n<\/ul>\n<p>Generate a keytab using the command below. Well in fact the official documentation only display the command and don\u2019t explain what is it or where to execute it.<\/p>\n<p><a class=\"easyblog-thumb-preview\" title=\"ktpass1.png\" href=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ktpass1.png\"><img decoding=\"async\" title=\"ktpass1.png\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ktpass1.png\" alt=\"ktpass1.png\" \/><\/a><\/p>\n<p>Transfer this keytab on the D2 host server.<\/p>\n<h4>c. krb5.ini<\/h4>\n<pre class=\"brush: actionscript3; gutter: true; first-line: 1\">[libdefaults]\n\u00a0\u00a0\u00a0 default_realm = DOMAINNAME\n[realms]\n\u00a0\u00a0\u00a0 DOMAINNAME = {\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 kdc = adserver.domainName\n\u00a0\u00a0\u00a0 }<\/pre>\n<p>&nbsp;<\/p>\n<h4>d. On Windows 7<\/h4>\n<ol>\n<li>Run gpedit.msc<\/li>\n<li>Expand \u201cLocal Computer Policy\u201d \/ \u201cComputer Configuration\u201d \/ \u201cWindows Settings\u201d \/ \u201cSecurity Settings\u201d \/ \u201cLocal Policies\u201d \/ \u201cSecurity Options\u201d \/ \u201cNetwork security:<\/li>\n<li>Configure encryption types allowed for Kerberos\u201d<\/li>\n<li>Double click \u201cNetwork security: Configure encryption types allowed for Kerberos\u201d<\/li>\n<li>Select all.<\/li>\n<li>Press \u201cOK\u201d<\/li>\n<\/ol>\n<h3>2. D2 3.1 SP1 steps<\/h3>\n<p>The second part of this blog will present which steps must be done to get Kerberos SSO working with D2 3.1 SP1. If you only follow steps describes in the official documentation, as some explanations are missing, you will probably get issues. Now here are the steps that were required to get the SSO working on our D2 3.1 SP1:<\/p>\n<p>Let\u2019s begin with the beginning contrary to the official documentation which begin with the end. So logic!<\/p>\n<h4>a. On the Active Directory<\/h4>\n<p>Create a user on the Active Directory with the following properties:<\/p>\n<ul>\n<li>Username doesn\u2019t matter (don\u2019t need to be the D2 server hostname). Let\u2019s name this user: dmskrbsso<\/li>\n<li>Password: dmskrbssoPassword<\/li>\n<li>Password never expire<\/li>\n<li>This account support Kerberos AES 128 bits encryption<\/li>\n<li>Trust for Delegation to any service (Kerberos Only)<\/li>\n<li>This account support Kerberos DES encryption<\/li>\n<\/ul>\n<p>This last configuration isn\u2019t mandatory as Kerberos will always use the most secure encryption available (AES 256 in general). So there is no problem if your Active Directory admin doesn\u2019t want to enable DES encryption as this isn\u2019t enough secure.<\/p>\n<p>When the user is successfully created, open an administrator command prompt and create the keytab for D2 using the following command:<\/p>\n<p><a class=\"easyblog-thumb-preview\" title=\"ktpass2.png\" href=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ktpass2.png\"><img decoding=\"async\" title=\"ktpass2.png\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ktpass2.png\" alt=\"ktpass2.png\" \/><\/a><\/p>\n<p>This command will create a file named wd231.keytab which should be transfer on the D2 host server. Let\u2019s place this file at the following location: C:\/Kerberos\/wd231.keytab<\/p>\n<h4>b. On Documentum Administrator<\/h4>\n<p>Create a repository user with the same Name, Login Name and password as the one created on the AD:<\/p>\n<ul>\n<li>State: Active<\/li>\n<li>Name: dmskrbsso<\/li>\n<li>Login Name: dmskrbsso<\/li>\n<li>Login Domain: domain.com<\/li>\n<li>User Source: Inline Password<\/li>\n<li>Password: dmskrbssoPassword<\/li>\n<li>Privileges: None<\/li>\n<li>Extended Privileges: None<\/li>\n<li>Client Capability: Consumer<\/li>\n<\/ul>\n<p>This first user will just reflect the new user created on the AD but I think this user isn\u2019t mandatory.<\/p>\n<p>Create another repository user which will be used by the shiro.ini file to connect all other users through SSO:<\/p>\n<ul>\n<li>State: Active<\/li>\n<li>Name: d2krbsso<\/li>\n<li>Login Name: d2krbsso<\/li>\n<li>Login Domain: domain.com (This is mandatory! The SSO will not work without the AD domain here)<\/li>\n<li>User Source: Inline Password<\/li>\n<li>Password: d2krbssoPassword<\/li>\n<li>Privileges: Superuser<\/li>\n<li>Extended Privileges: None<\/li>\n<li>Client Capability: Consumer<\/li>\n<\/ul>\n<p>From a command prompt on the D2 server, execute the following command to get the encrypted password of the user d2krbsso:<\/p>\n<p><a class=\"easyblog-thumb-preview\" title=\"java.png\" href=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/java-1.png\"><img decoding=\"async\" title=\"java.png\" src=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/java-1.png\" alt=\"java.png\" \/><\/a><\/p>\n<p>This command assume that your D2-Client web application is at \u201cC:\/Tomcat6D2-Client31SP1\/webapps\/D2-Client\/\u201d. Remember the result of this command as the encrypted password will be needed later in the shiro.ini file. Let&#8217;s name this encrypted password <em>userEncryptedPw<\/em><\/p>\n<h4>c. krb5.ini<\/h4>\n<p>Create the file C:\/Kerberos\/krb5.ini with the following content:<\/p>\n<pre class=\"brush: actionscript3; gutter: true; first-line: 1\">[libdefaults]\n\u00a0 default_realm = DOMAIN.COM\n[realms]\n\u00a0 DOMAIN.COM = {\n\u00a0\u00a0\u00a0 kdc = ad001.domain.com\n\u00a0 }\n[domain_realm]\n\u00a0 .domain.com = DOMAIN.COM\n\u00a0 domain.com = DOMAIN.COM\n[logging]\n\u00a0 default = FILE:C:\/Kerberos\/logs\/kdc_default.log\n\u00a0 kdc = FILE:C:\/Kerberos\/logs\/kdc.log<\/pre>\n<p>&nbsp;<\/p>\n<p>Don\u2019t forget to create the folder C:\/Kerberos\/logs\/.<\/p>\n<h4>d. Edit the shiro.ini file<\/h4>\n<p>The shiro.ini file is the file used by D2 to authenticate user through Kerberos. This file could be found at \u201cC:\/Tomcat6D2-Client31SP1\/webapps\/D2-Client\/WEB-INF\/classes\/shiro.ini\u201d. Replace the properties in this file with the following:<\/p>\n<pre class=\"brush: actionscript3; gutter: true; first-line: 1\">[main]\nD2-Kerberos=com.emc.d2.web.filters.authc.D2KerberosHttpAuthenticationFilter\nD2-Kerberos.servicePrincipal=HTTP\/\nD2-Kerberos.krbConfLocation=C:\/Kerberos\/krb5.ini\nD2-Kerberos.keyTabLocation=C:\/Kerberos\/wd231.keytab\nD2-Kerberos.docbases=docbase1,d2krbsso,userEncryptedPw,DOMAIN.COM\nD2-Kerberos.debug=true\n[urls]\n\/**=D2-Kerberos<\/pre>\n<p>&nbsp;<\/p>\n<p>docbase1 correspond to a repository using Kerberos. You could set more than 1 docbase using the following property:<br \/>\nD2-Kerberos.docbases=docbase1,login1,password1,domain1|docbase2,&#8230;<\/p>\n<p>Maybe you didn\u2019t see the difference with the original documentation but if you look at the property named \u201cD2-Kerberos\u201d, you will see that the Java Class <em>D2KerberosHttpAuthenticationFilter<\/em> isn\u2019t in the same package. In our D2 3.1 SP1, this Java Class is located in <em>com.emc.d2.web.filters<\/em> whereas the D2 3.1 official documentation indicate it on eu.c6.d2.web.filters. Something funny is that on the D2 4.0 official documentation, this property indicate again another location:<em> eu.c6.d2.portal.server.filters.<\/em><\/p>\n<h4>e. Verify the Java Runtime Environment<\/h4>\n<p>It seems that Kerberos SSO for D2 require a java 1.6 jre. The simplest way to verify this is to check the service configuration of your application server. Another way could be to take a look at the registry:<\/p>\n<ul>\n<li>Run regedit<\/li>\n<li>Navigate HKEY_LOCAL_MACHINE \/ SOFTWARE \/ Wow6432Node \/ Apache Software Foundation \/ Procrun 2.0 \/ tomcat6D231SP1 \/ Parameters \/ Java<\/li>\n<li>Verify that the JVM parameter point to Java 1.6: <em>C:\/Program Files\/Java\/jre6\/bin\/server\/jvm.dll<\/em><\/li>\n<\/ul>\n<p>This assume that the JAVA_HOME of your application server is <em>C:\/Program Files\/Java\/jre6\/<\/em><\/p>\n<h4>f. Install the Java Cryptography Extension (JCE)<\/h4>\n<p>Download Java Cryptography Extension (JCE) for the java version used by the JVM and copy both jars into:<br \/>\n<em>C:\/Program Files\/Java\/jre6\/lib\/security\/<\/em><\/p>\n<h4>g. Restart<\/h4>\n<p>Restart your D2 application server and look for errors on the tomcat error log files:<br \/>\n<em>C:\/Tomcat6D2-Client31SP1\/logs\/tomcat6d231sp1-stdout.YYYY-MM-DD.log<\/em><\/p>\n<h4>h. User configuration<\/h4>\n<p>For D2 Kerberos SSO, there is no need to change anything on user properties. That means that, for example, a Login Domain of LDAP and User Source of LDAP is fine.<\/p>\n<h4>i. On client computer<\/h4>\n<ol>\n<li>Run gpedit.msc<\/li>\n<li>Expand \u201cLocal Computer Policy\u201d \/ \u201cComputer Configuration\u201d \/ \u201cWindows Settings\u201d \/ \u201cSecurity Settings\u201d \/ \u201cLocal Policies\u201d \/ \u201cSecurity Options\u201d \/ \u201cNetwork security:<\/li>\n<li>Configure encryption types allowed for Kerberos\u201d<\/li>\n<li>Double click \u201cNetwork security: Configure encryption types allowed for Kerberos\u201d<\/li>\n<li>Select all.<\/li>\n<li>Press \u201cOK<\/li>\n<\/ol>\n<p>Please be aware that the D2-Client URL must be detected by Internet Explorer as an \u201cIntranet Site\u201d. This could be done through Internet Explorer options.<\/p>\n<p>This finally concludes the configuration of Kerberos SSO in D2 3.1 SP1. To get a Kerberos ticket, just log in on the client machine with a user defined in AD and if you have followed the steps above, SSO should work. If this is not the case, please let me know and I might be able to help.<\/p>\n<p>Good luck!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last week, when I was working on how to setup the Kerberos SSO for D2 3.1 SP1, I faced some issues due to a documentation that doesn\u2019t seem to be up to date\u2026 In fact, our version is D2 3.1 SP1 and there is no specific documentation for SP1. In consequence, I read the D2 [&hellip;]<\/p>\n","protected":false},"author":20,"featured_media":3673,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[197],"tags":[443,129,444,445,44],"type_dbi":[],"class_list":["post-3672","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-application-integration-middleware","tag-d2","tag-documentum","tag-kerberos","tag-sso","tag-troubleshooting"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Kerberos SSO with Documentum D2 3.1 SP1 - dbi Blog<\/title>\n<meta name=\"description\" content=\"Setting up Kerberos SSO for D2 3.1 SP1 using Active Directory on Windows Server 2008 R2. Official documentation EMC provides issues.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Kerberos SSO with Documentum D2 3.1 SP1\" \/>\n<meta property=\"og:description\" content=\"Setting up Kerberos SSO for D2 3.1 SP1 using Active Directory on Windows Server 2008 R2. Official documentation EMC provides issues.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2014-03-27T07:06:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ktpass1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"654\" \/>\n\t<meta property=\"og:image:height\" content=\"33\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Morgan Patou\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@MorganPatou\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Morgan Patou\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/\"},\"author\":{\"name\":\"Morgan Patou\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8\"},\"headline\":\"Kerberos SSO with Documentum D2 3.1 SP1\",\"datePublished\":\"2014-03-27T07:06:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/\"},\"wordCount\":1349,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ktpass1.png\",\"keywords\":[\"D2\",\"Documentum\",\"Kerberos\",\"SSO\",\"Troubleshooting\"],\"articleSection\":[\"Application integration &amp; Middleware\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/\",\"name\":\"Kerberos SSO with Documentum D2 3.1 SP1 - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ktpass1.png\",\"datePublished\":\"2014-03-27T07:06:00+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8\"},\"description\":\"Setting up Kerberos SSO for D2 3.1 SP1 using Active Directory on Windows Server 2008 R2. Official documentation EMC provides issues.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#primaryimage\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ktpass1.png\",\"contentUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ktpass1.png\",\"width\":654,\"height\":33},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Kerberos SSO with Documentum D2 3.1 SP1\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8\",\"name\":\"Morgan Patou\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g\",\"caption\":\"Morgan Patou\"},\"description\":\"Morgan Patou has over 12 years of experience in Enterprise Content Management (ECM) systems, with a strong focus in recent years on platforms such as Alfresco, Documentum, and M-Files. He specializes in the architecture, setup, customization, and maintenance of ECM infrastructures in complex &amp; critical environments. Morgan is well-versed in both engineering and operations aspects, including high availability design, system integration, and lifecycle management. He also has a solid foundation in open-source and proprietary technologies - ranging from Apache, OpenLDAP or Kerberos to enterprise-grade systems like WebLogic. Morgan Patou holds an Engineering Degree in Computer Science from ENSISA (\u00c9cole Nationale Sup\u00e9rieure d'Ing\u00e9nieurs Sud Alsace) in Mulhouse, France. He is Alfresco Content Services Certified Administrator (ACSCA), Alfresco Content Services Certified Engineer (ACSCE) as well as OpenText Documentum Certified Administrator. His industry experience spans the Public Sector, IT Services, Financial Services\/Banking, and the Pharmaceutical industry.\",\"sameAs\":[\"https:\/\/blog.dbi-services.com\/author\/morgan-patou\/\",\"https:\/\/x.com\/MorganPatou\"],\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/morgan-patou\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Kerberos SSO with Documentum D2 3.1 SP1 - dbi Blog","description":"Setting up Kerberos SSO for D2 3.1 SP1 using Active Directory on Windows Server 2008 R2. Official documentation EMC provides issues.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/","og_locale":"en_US","og_type":"article","og_title":"Kerberos SSO with Documentum D2 3.1 SP1","og_description":"Setting up Kerberos SSO for D2 3.1 SP1 using Active Directory on Windows Server 2008 R2. Official documentation EMC provides issues.","og_url":"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/","og_site_name":"dbi Blog","article_published_time":"2014-03-27T07:06:00+00:00","og_image":[{"width":654,"height":33,"url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ktpass1.png","type":"image\/png"}],"author":"Morgan Patou","twitter_card":"summary_large_image","twitter_creator":"@MorganPatou","twitter_misc":{"Written by":"Morgan Patou","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/"},"author":{"name":"Morgan Patou","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8"},"headline":"Kerberos SSO with Documentum D2 3.1 SP1","datePublished":"2014-03-27T07:06:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/"},"wordCount":1349,"commentCount":0,"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ktpass1.png","keywords":["D2","Documentum","Kerberos","SSO","Troubleshooting"],"articleSection":["Application integration &amp; Middleware"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/","url":"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/","name":"Kerberos SSO with Documentum D2 3.1 SP1 - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#primaryimage"},"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ktpass1.png","datePublished":"2014-03-27T07:06:00+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8"},"description":"Setting up Kerberos SSO for D2 3.1 SP1 using Active Directory on Windows Server 2008 R2. Official documentation EMC provides issues.","breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#primaryimage","url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ktpass1.png","contentUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/ktpass1.png","width":654,"height":33},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/kerberos-sso-with-documentum-d2-31-sp1\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Kerberos SSO with Documentum D2 3.1 SP1"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8","name":"Morgan Patou","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g","caption":"Morgan Patou"},"description":"Morgan Patou has over 12 years of experience in Enterprise Content Management (ECM) systems, with a strong focus in recent years on platforms such as Alfresco, Documentum, and M-Files. He specializes in the architecture, setup, customization, and maintenance of ECM infrastructures in complex &amp; critical environments. Morgan is well-versed in both engineering and operations aspects, including high availability design, system integration, and lifecycle management. He also has a solid foundation in open-source and proprietary technologies - ranging from Apache, OpenLDAP or Kerberos to enterprise-grade systems like WebLogic. Morgan Patou holds an Engineering Degree in Computer Science from ENSISA (\u00c9cole Nationale Sup\u00e9rieure d'Ing\u00e9nieurs Sud Alsace) in Mulhouse, France. He is Alfresco Content Services Certified Administrator (ACSCA), Alfresco Content Services Certified Engineer (ACSCE) as well as OpenText Documentum Certified Administrator. His industry experience spans the Public Sector, IT Services, Financial Services\/Banking, and the Pharmaceutical industry.","sameAs":["https:\/\/blog.dbi-services.com\/author\/morgan-patou\/","https:\/\/x.com\/MorganPatou"],"url":"https:\/\/www.dbi-services.com\/blog\/author\/morgan-patou\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/3672","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=3672"}],"version-history":[{"count":0,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/3672\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media\/3673"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=3672"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=3672"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=3672"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=3672"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}