To Configure the OpenSSO Enterprise Windows Desktop SSO Authentication Module

1. Copy the keytab files you created in the sectionTo Configure a UNIX Kerberos Domain Controller or the section To Configure Windows Active Directory and Domain Controller.

   Place the copied files in the OpenSSO Enterprise host, in a directory such as /etc/opt/SUNWam/config.

2. Log into the OpenSSO Enterprise administration console as amadmin.

3. Go to Access Control > Default Realm > Authentication.

4. In the Module Instances page, click New.

5. Enter a name for the new login module, and then select Windows Desktop SSO. Click OK.

6. In the Module Instances page, click the name of the new login module and provide the following information:

   Service Principal

   HTTP/ openSSOhost.example.com@EXAMPLE.COM

   Keytab File Name

   /etc/opt/SUNWam/config/openSSOhost.HTTP.keytab

   Kerberos Realm

   OPENSSOHOST.EXAMPLE.COM

   Kerberos Server Name

   Kerberos.example.com

   If multiple Kerberos Domain Controllers exist for failover purposes, all Kerberos Domain Controllers can be set using a colon (:) as the separator.

   Return Principal with Domain Name

   False

   Authentication Level

   0

7. Restart the OpenSSO Enterprise server.

   • If OpenSSO Enterprise is deployed on IBM Websphere, then Keytab File Name has to be specified in FILE:// format. Example: FILE:///etc/opt/SUNWam/config/openSSOhost.HTTP.keytab.

   • If OpenSSO Enterprise is deployed on IBM Websphere, the keytab file has to use the DES-CBC-MD5 crypto option. After restarting the server, the administrator can access the module with a browser pointing to this URL: http://openSSOhost.example.com/amserver/UI/Login?module=WinSSO.The browser should no longer prompt the user for userid and password.