Step 2. Syncronize time

For the Kerberos authentication to work correctly it is a MUST to have synchronized time on proxy and your Active Directory domain controllers. Do the following to set up time sync.

Note

You can use Monitoring/Dashboard section in Web UI to quickly check if Active Directory UTC time and UTC time on your proxy box are syncronized. If time difference is more than 5 minutes the lines will be highlighted in RED. You need to fix syncronization issues before going further!

../../../_images/time63.png

Set correct Time Zone in Web Safety

The time zone on your proxy server MUST match the one your domain controllers are in. To set correct time zone from Admin UI of Web Safety in Ubuntu 16 (Debian 9), navigate to Admin UI / Dashboard / Time Zone, select your timezone from drop down list and click Save Settings. You will need to reboot the proxy from console for these settings to take effect.

../../../_images/timezone23.png

Note

If you are setting up Active Directory integration on operating system other than Ubuntu/Debian - you would need to set up time zone settings as indicated in the installation guide for that operating system.

Enable time sync with Active Directory and vSphere

When you run Web Safety as virtual appliance in VMWare vSphere - it is recommended to sync the time in virtual appliance with vSphere host which in turn needs to be synced with Active Directory domain controller (how to do that is usually known to any virtual admin).

Virtual Appliance has OpenVM integration tools preinstalled which make it easy to set up time sync between the guest VA and VMWare host.

../../../_images/va_tool_sync_time9.png

If you are running Web Safety on real hardware, it is recommended to setup NTP server on the proxy box to sync with your domain controller. Please note, NTP cannot guarantee correct time sync when run within virtual appliance so use it only on the real hardware.

To install network time synchronization daemon type $ sudo apt-get install ntp. Edit the /etc/ntp.conf file so that the list of NTP servers contain only dc1.example.lan as indicated on the following screenshot.

../../../_images/ntp_pool9.png

Run the following commands to perform initial time synchronization.

$ sudo service ntp stop
$ sudo ntpdate -b dc1.example.lan
$ sudo service ntp start

Active NTP server status is shown by $ ntpq -p command.

../../../_images/ntpq9.png