In this article, I will cover steps to install OMSS on windows using Kerberos with Password. I will be using Active Directory as LDAP store. You can also use OUD. If you want steps without it, you can refer here.
For all OMSS related articles, refer here.
If you encounter any issues or need any help with OMSS or Identity Management, feel free to contact me on Sumit@OraWorld.co.uk
If you want to know when I have shared new blog posts for OMSS, you can Subscribe here.
So, lets get down to business.
a) Refer here for overview and download of software.
b) For this article, I will be using one Server with good specs. In this machine, as a pre-req, I have installed Active Directory.
If you have Active Directory installed on different machine, then optain the ipaddress of AD machine using ipconfig and update in hosts file at c:/windows/system32/drivers/etc
The DNS resolution should work from one machine to another. Ping the domain name (in my case: owad.local) from the OMSS machine to verify this.
c) Create Users and Groups. As a pre-req we need to create few users and groups in AD that will be used later.
a) Start> Administrative Tools >Server Manager > Roles > Active Directory Domain Services > Active Directory Users and Computers > owad.local > Users.
b) Create four groups named control, sysadmin, companyadmin and helpdesk.
c) Add to Control Group.
d) Perform similar operations for
helpdeskuser and add them to
helpdesk groups respectively.
d) Now, run the setup configuration wizard to install OMSS. Double-clickOMSS188.8.131.52.4549 application from OMSS-3.0.1 > Servers > Windows directory and follow the screenshots.
On MSAC screen, enter Company Name and add Company logo image.
Select LDAP Directory Group Sync. If this is not selected, it will
allow MSAC admin to create group/user and those will be stored in local database (and not over OUD/AD). We have covered this in this article.
If this is selected (like shown above), OMSS can identify the source of the users/group in AD/OUD (control group along with sysadmin, companyadmin and helpdesk groups). These users/groups will be synchronized from AD/OUD into OMSS and they will appear within users/groups tab in MSAC.
The Master Server is the one where scheduled tasks are run, that do background database updating. You should only run the scheduled tasks on a single server (called master server). Verify that This is master server is selected and select AD. Click Next
e) From this step, things might be slightly different from here. On
Mobile Security Administrative Console screen, enter the windows account name and password which will be used to run MSAC service. Click
Make sure this user exists in the Active Directory before entering the user details on this screen. The username must be in either SAM or UPN format, otherwise you may get below error.
If you encounter below error(“User ID or password is wrong”), make sure connectivity between OMSS machine and AD machine is well established.
LDAP Directory Group Sync screen, enter
Domain Name and
Control Group (this group should already exist in AD). All the users whose devices need to be protected by OMSS must be member of the
control group. Click
control group can be any type of Windows group (Global, Local, or Universal). The
control group can contain users or groups, and groups can be nested. As long as a user’s group membership resolves with at least one group underneath the
control group, they will be allowed to register their device with the Mobile Security Access Server solution. Control group has to be pre-created in LDAP.
Use SSL for PRODUCTION. In our case I am de-selecting it and updating ports accordingly.
g) Now create an AD read only user: omssrouser
Now, enter the above details in
LDAP Directory Group Sync screen.
h) In this step, enter group that were created in STEP:c
Help Desk: Views Dashboard, Containers, Groups, Users, Catalog, and Policies. Can edit only Containers. Can invite users, but not groups. H
elpdesk users can login to MSAC to troubleshoot the helpdesk tickets/calls.
Company Admin: Views everything, cannot make a company or system administrative user. Can invite users and groups. Can update Catalog, Settings and Policies. Restricted to one company ID.
System Admin: Views and edits everything. Can access all company IDs.
These groups contains users with default set of privileges set by the installer. You can see these groups in Administrative Console.
sysadmin has more privileges than
companyadmin which has more privileges than
helpdesk. When you login to Administrative Console you will see certain fields/operations enabled or disabled depending on which group the logged in user belongs to. These privileges on these groups are set in the database.
Users who are member of any of these three groups(
helpdesk) do not necessarily have to be a member of the
MSAC Access Credential Information screen, enter the Administrator username and password along with the Control panel service username and password. The user
msacadmin is the super user of MSAC.
Control panel service account: Control Panel service account is used to access the REST API exposed by MSAC. These account details are given to MSAS, so that whenever mobile devices want to access any REST endpoint, they first authenticate themselves against MSAS and then MSAS talks on behalf of the mobile device. This is the account used by MSAS to connect to MSAC.
This should not be done in production. This certificate will need to be installed on the device to trust MSAS. For self-signed certificate, MSAC and MSAS must be installed on same machine.
k) Click on Install
During the installation process,an error is thrown stating that “OMSS service cannot be started”. This is expected. Click
l) Select to restart later and browse to OMSS Service.
All Programs > Administrative Tools > Services or
Right-Click OMSS service and select
Log On. Reset the password for
email@example.com to the same password value you had set during the installation.
Now right click and START the OMSS service.
Restart the Server now.
l) Lets Verify the Installation of OMSS.
Access the MSAC Dashboard using msacadmin user.
Notice the Company LOGO in the top left side. The Dashboard captures the information on containers, groups, users, catalog and policies.
The Active Directory settings can be viewed from the LDAP settings tab.
Observer the different settings that we chose while installing.
The Server settings for the Notification Server can be viewed from the Notifications settings tab.
Open and view the following URL.