Versions Compared

Version Old Version 5 New Version 6
Changes made by

wqx+qmnstigwu5kzxaiskxnikzy@idp.company.ja.net

wqx+qmnstigwu5kzxaiskxnikzy@idp.company.ja.net

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Numberedheadings

Configuration Tools

The Moonshot SSP ships with two tools for configuring the SSP. One is a GUI, and one a CLI. These tools allow you to:

  • Set various configuration options about the way the SSP operates
  • Configure your connection to a Moonshot RP
  • Add manual account mappings.

The GUI - msetupgui.exe

The default location for the SSP setup GUI is C:\Program Files\Moonshot\msetupgui.exe.

To set the options as documented in Section 2, simply click to turn them on and off. Note that all settings require a reboot to take effect.

Screenshot of msetupgui.exe

The CLI - msetup.exe

The SP setup CLI is located at C:\Program Files\Moonshot\msetup.exe

To set the options as documented in Section 2, run the msetup tool in a command prompt with the appropriate flags. Note that all settings require a reboot to take effect.

Screenshot of msetup.exe

Main configuration options

You can use either tool to set any of the options below.

SSP OptionExplanation of Option
DebugTurns on Debug logging. See the topic for further information.
Disable SPNEGOGSS-EAP won't be advertised by the SPNEGO/Negotiate security package. This may avoid any potential incompatibilities that might arise from the SSP being negotiable at two layers (Negotiate and NegoEx).
Disable NegoExGSS EAP won't be advertised by the NegoEx security package (as negotiated by SPNEGO)
Use S4U on Domain ControllerNormally, if running on a domain controller, the directory is interrogated directly. If this flag is set, however, then S4U2Self (protocol transition) will be used if that fails. Used for debugging
Use Kerberos RPC IDPretends to be Kerberos rather than GSS-EAP (e.g. required for Microsoft Exchange)
Support Interactive LoginAllows federated sign-in to the Windows desktop
Use Domain Login CredentialsPass through the credentials of the currently logged in user (desktop SSO)

Configure the connection to your Moonshot RP Proxy

Your Moonshot SSP needs to connect to a local Moonshot RP Proxy in order to authenticate remote users. To do so, you can either use the GUI or the CLI, whichever you prefer. Adding a connection to a Moonshot RP Proxy consists of two steps - configuring the basic details for the Moonshot RP Proxy, then configuring whether to use a RADIUS or a RadSec connection.

Defining multiple Moonshot RP Proxy connections would give a simple failover mechanism - should the first Moonshot RP Proxy in the list not be available, the second would be consulted, and so on.

Basic Connection Details

Using the GUI

In the msetupgui.exe window, you will find an "Add Server" button. Click on this and a dialogue will pop up asking you to enter some information. Fill it in as follows:

  • Address - the IP address of your AAA proxy
  • Port/Service - the port that your RADIUS server is running on (often 1812 for RADIUS and 2083 for RadSec)
  • Secret - the shared secret for your SSP as configured in the AAA proxy

Using the CLI

In a command prompt, issue the following command:

powershellExample

For a server located at 123.123.123.123, listening on port 1812 with a secret of "sharedsecret" you would run a command as follows:

powershell

Configuring RADIUS or RadSec

Your Moonshot libraries will need connect to a Moonshot RP Proxy. This can be a RADIUS or a RadSec connection.

If you are unsure which to use, then RadSec is recommended as it is more flexible and more secure. It is slightly more complex to set up, however.

RadSec

Using the GUI

To configure a RadSec connection, make sure the "TCP" option is selected in the Dropdown at the top left of the msetupgui.exe window.

TODO

Instructions on configuring certs in the SSP GUI

 

Using the CLI

TODO

Instructions on configuring certs in the SSP CLI

RADIUS

Using the GUI

To configure a RADIUS connection, simply make sure the "UDP" option is selected in the Dropdown at the top left of the msetupgui.exe window.

Using the CLI

TODO

Need to check how to do this...

Add account mappings

Before doing any of the following, make sure you've read the .

When a user authenticates via moonshot, their remote identity (their NAI) must be mapped to an existing account on the Windows machine. If the machine is a standalone machine, this should be a local account; if the machine is a member of an AD domain then it should be a domain account.

Mapping to a local account

Using the GUI

  1. In the msetupgui.exe window, click on the "Add User Mapping" button. A dialogue box will appear:
    Screenshot of manual account mapping
  2. Add the following information:
    • User - the full NAI of the user (e.g. johnsmith@example.com)
    • Account - the name of the local account you wish to map to (e.g. johns).

Using the CLI

  1. In a command prompt, issue the following command:
powershellExample

To map a user with an incoming NAI of "johnsmith@example.com" to a local account of "johns" you would run a command as follows

powershell

Mapping to an AD domain account

To map to an AD account, you need to edit that account's attribute called "AltSecurityIdentities". Add a value of "EAP:[NAI]" to map an incoming user to that particular account. E.g. a value of "EAP:johnsmith@example.com" on a domain account of "DOMAIN\johns"

TODO

Tidy this last section up and add screenshot