Skip to content
This repository has been archived by the owner on Sep 11, 2020. It is now read-only.

GSAKerberosValidation

Jump to bottom
Will Angley edited this page Aug 30, 2014 · 3 revisions

Introduction

Diagnostics utility to help identify kerberos-related configuration/setup and serving issues for the Google Search Appliance (GSA).

It is assumed the GSA Admin ran through the kerberos IWA setup for the GSA (i.e, created an account, created a DNS name, ran ktpass)

Use this script if you run into issue activating IWA on the GSA or if you get prompted by the GSA while doing a secure search. This utility will not check to see if why certain secure results are not being shown; refer to the Help Center article Troubleshooting Kerberos setup and secure searches if you need to do that.

Details

System Requirements:

  • 32-bit Windows XP, Vista, Windows 7
  • MIT Kerberos Client installed at C:\program files\ such that klist exists at: c:\program files\mit\kerberos\bin\klist.exe

Download

Direct link: https://raw.githubusercontent.com/google/gsa-admin-toolkit/master/gsa_win_utility.hta

Usage

  • Download the gsa_win_toolkit.hta and save it to the desktop with the extension .hta. The users account running the script does not have to be an admin.
  • Right click on the file, select 'Properties'. If the security setting blocks execution, select "Unblock". Depending on your desktop system security, you may not have to do this step.
  • On launch, enter the following
    1. Fully qualified DNS A-Name of the GSA (eg gsa.yourdomain.com)
    2. User account for the GSA in active directory associated with the keytab. (omit the domain information. eg: just gsauser not DOMAIN\gsauser or gsauser@DOMAIN)
    3. Select the latest keytab
  • The utility will run through about 20+ individual tests comparing the keytab/DNS/AD entry, etc. Output in green is a pass, in red is an error that the tool detected in the confiuration.

Error Messages

On Launch, if you see "Safety settings on this computer prohibit a data source on another domain":

  1. Open Internet Explorer
  2. Go to Tools -> Internet Options
  3. Select the Security tab
  4. Select Internet from the list of web content zones
  5. Drag Level to Custom
  6. Enable "Access data sources across domains"
  7. Click all OK buttons to save and close all settings related pages
  8. Try running the diagnostic tool again

References

http://www.google.com/support/enterprise/static/gsa/docs/admin/72/gsa_doc_set/secure_search/secure_search_crwlsrv.html#1072773

http://web.mit.edu/Kerberos/dist/index.html

Clone this wiki locally