Sun OpenSSO Enterprise 8.0 Administration Reference

Windows Desktop SSO

This module is specific to Windows and is also known as Kerberos authentication. The user presents a Kerberos token to OpenSSO Enterprise through the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol. The Windows Desktop SSO authentication plug-in module provides a client (user) with desktop single sign-on. This means that a user who has already authenticated with a key distribution center can be authenticated with OpenSSO Enterprise without having to provide the login information again. The Windows Desktop SSO attributes are global attributes. The attributes are:

Service Principal

Specifies the Kerberos principal that is used for authentication. Use the following format:


hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possibly different from the domain name of the OpenSSO Enterprise.

Keytab File Name

This attribute specifies the Kerberos keytab file that is used for authentication and takes the absolute path to the keytab file.

Kerberos Realm

This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.

Kerberos Server Name

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Return Principal with Domain Name

If enabled, this attributes allows OpenSSO Enterprise to automatically return the Kerberos principal with the domain controller's domain name during authentication.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.

Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.