Sun OpenSSO Enterprise 8.0 Deployment Planning Guide

ProcedureTo Configure the OpenSSO Enterprise Windows Desktop SSO Authentication Module

  1. Copy the keytab files you created in the sectionTo Configure a UNIX Kerberos Domain Controller or the section To Configure Windows Active Directory and Domain Controller.

    Place the copied files in the OpenSSO Enterprise host, in a directory such as /etc/opt/SUNWam/config.

  2. Log into the OpenSSO Enterprise administration console as amadmin.

  3. Go to Access Control > Default Realm > Authentication.

  4. In the Module Instances page, click New.

  5. Enter a name for the new login module, and then select Windows Desktop SSO. Click OK.

  6. In the Module Instances page, click the name of the new login module and provide the following information:

    Service Principal


    Keytab File Name


    Kerberos Realm


    Kerberos Server Name

    If multiple Kerberos Domain Controllers exist for failover purposes, all Kerberos Domain Controllers can be set using a colon (:) as the separator.

    Return Principal with Domain Name


    Authentication Level


  7. Restart the OpenSSO Enterprise server.

    • If OpenSSO Enterprise is deployed on IBM Websphere, then Keytab File Name has to be specified in FILE:// format. Example: FILE:///etc/opt/SUNWam/config/openSSOhost.HTTP.keytab.

    • If OpenSSO Enterprise is deployed on IBM Websphere, the keytab file has to use the DES-CBC-MD5 crypto option. After restarting the server, the administrator can access the module with a browser pointing to this URL: browser should no longer prompt the user for userid and password.