Search Configuration for OpenText Content Server - Kerberos

Configure Content Server, Active Directory, and SPNs

1. Setup the Service Account

Configure Shinydocs Search Service Account:

1. Account Requirements:

   • The "Shinydocs Search" process must run as a domain user account or a group-managed service account (GMSA). For more details on GMSA, refer to the Microsoft documentation.

2. Grant Permissions to the Service Account:

   • Add the account to the local Administrators group on the server where Shinydocs Pro is installed.

     • Alternatively, configure the following specific permissions:

       • Read access to the server.

         • Add the account to the local "Users" group.

       • Full Control on the Shinydocs Search folder (default path: C:\Program Files\Shinydocs Professional\Search).

       • Read access to the Shinydocs Search service certificate (default certificate: localhost.localdomain).

Grant Certificate Permissions

1. On the Shinydocs Pro server, open certlm.msc.

2. Navigate to Certificates - Local Computer > Personal > Certificates.

3. Locate and select localhost.localdomain.

4. From the menu bar, choose Action > All Tasks > Manage Private Keys.

5. Click Add and select the service account.

6. Under "Allow", checkmark Read, then click Apply.

2. Active Directory User Setup

Configure Delegation

1. Open Active Directory Users and Computers.

2. Locate the Shinydocs Service Account.

3. Right-click the account and select Properties.

4. Go to the Delegation tab and:

   • Choose Trust this user for delegation to specified services only.

   • Select Use Kerberos only.

Add SPNs for Delegation

1. Click Add to open the delegation window.

2. Select Users or Computers and search for the target service account.

3. Add the required SPNs associated with the service.

4. Click Apply to save changes.

3. Setting Service Principal Names (SPNs)

SPN Configuration Steps

1. Open a command prompt or PowerShell with administrative rights.

2. Determine the hostnames of the Shinydocs Search servers:

   • For single-instance setups, use the machine hostname (e.g., search.example.local).

   • For load-balanced clusters, include all machine hostnames and the load balancer's DNS name (e.g., search01.example.local, search02.example.local, search.example.local).

3. Run the following commands to add SPNs:

   CODE

   setspn -S HTTP/<hostname> <domain\service_account>

   Repeat for each hostname.

4. Authorization to OTDS (SPNs)

Set SPNs for OTDS Hosts

Run the following commands for each OTDS-related hostname:

1. OTDS Hostname:

   CODE

   setspn -S HTTP/<otdsHostName> <domain\service_account>

2. OTDS Fully Qualified Domain Name (FQDN):

   CODE

   setspn -S HTTP/<otdsHostName.fqdn.com> <domain\service_account>

3. OTDS Load Balancer:

   CODE

   setspn -S HTTP/<otdsloadbalancer> <domain\service_account>
   setspn -S HTTP/<otdsloadbalancer.fqdn.com> <domain\service_account>

Troubleshooting

• Kerberos logging can be enabled by editing the following registry key:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Registry Value: LogLevel

Value Type: REG_DWORD

Value Data: 0x1

If the Parameters subkey does not exist, create it.

• Further details at:https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-kerberos-event-logging

• The logging events will show in the System event log, in the Windows event viewer.

• Ensure the SPNs have been replicated through the domain.

• Ensure that the OTDS server is running as the content server user account created above, and negotiate authentication is enabled within OTDS.

• Review the OTDS logs, otds.log, directory_access.log for any errors during authentication.

Shinydocs Search Setup for OpenText Content Server

1. Update Content Server Connector Settings

1. Navigate to the Application Settings menu.

2. Select Content Server Settings.

3. Update the Setup section:

   • Enter the Base URL of the Content Server instance (e.g., https://contentserver/otcs/cs.exe).

   • Enter the fully qualified domain name or IP address in OTDS Endpoint (e.g., https://otds-server:8443/otdsws).

   • Select the REST API version (typically Version 2).

   • Toggle the Enable Login Page option on.

4. Update the Navigation section as required:

   • Configure the behavior for Content Server item URLs:

     • Open Page (default).

     • Overview Page.

     • Properties Page.

5. Adjust the Performance section:

   • Update the Bulk Permission Check Size:

     • Default value: 25.

     • Increase if the system is fast.

     • Decrease if there is a lag in loading records after permission validation.

2. Enable Content Server Shortcuts

1. Open Content Server as an administrator.

2. Select Admin from the top navigation.

3. Navigate to Content Server Administration > Core System > Presentation > Configure Document Function.

4. [Recommended] Check Enable Document Overview Pages.

5. [Optional] Configure additional options based on organizational requirements.

6. Save changes.

For further details, refer to the embedded PDF for information on on-click behaviour for documents in OpenText Content Server.

Application_Note_-_On-click_behavior_for_documents_on_OpenText_Content_Server.pdf