The following figure illustrates a basic deployment architecture that includes the OpenSSO Windows Desktop SSO Authentication module.
An OpenSSO Windows Desktop SSO Authentication deployment includes the following components:
The Windows Domain Controller contains configuration information for the Windows XP workstation and the workstation users. If the configured domain-user authenticates to the domain with proper user principal and credentials, the Windows Domain Controller generates a TGT Kerberos ticket and sends the ticket to the authenticated user account.
When the user accesses a resource that is protected with an authentication, an Authenticate:Negotiate response is sent to the browser. The browser obtains the Keberos Service ticket with the TGT that was generated in authentication time. This Service Kerberos ticket can be validated by the OpenSSO Enterprise server.
Contains user profile information.
The OpenSSO Windows Desktop SSO Authentication module is a server-side SPNEGO implementation that uses the Java GSS-API to process a Kerberos token sent by a SPNEGO-supported browser.
The following figure illustrates a typical process flow for Kerberos authentication using the Windows Desktop SSO Authentication module.