Sun Java System Access Manager 7 2005Q4 Administration Guide

Windows Desktop SSO

The Windows Desktop SSO Authentication module is a Kerberos-based authentication plug-in module used for Windows 2000™. It allows a user who has already authenticated to a Kerberos Distribution Center (KDC) to authenticate to Access Manager without re-submitting the login criteria (Single Sign-on).

The user presents the Kerberos token to the Access Manager through the SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) protocol. In order to perform Kerberos-based Single Sign-on to Access Manager through this authentication module, the user must, on the client side, support the SPNEGO protocol to authenticate itself. In general, any user that supports this protocol should be able to use this module to authenticate to Access Manager. Depending on the availability of the token on the client side, this module provides a SPENGO token or a Kerberos token (in both cases, the protocols are the same). Microsoft Internet Explorer (5.01 or later) running on Windows 2000 (or later) currently supports this protocol. In addition, Mozilla 1.4 on Solaris (9 and 10) has SPNEGO support, but the token returned is only a KERBEROS token, because SPNEGO is not supported on Solaris.

Note –

You must use JDK 1.4 or above to utilize the new features of Kerberos V5 authentication module and Java GSS API to perform Kerberos based SSO in this SPNEGO module.

Known Restriction with Internet Explorer

If you are using Microsoft Internet Explorer 6.x when for WindowsDesktopSSO authentication and the browser does not have access to the user’s Kerberos/SPNEGO token that matches the (KDC) realm configured in the WindowsDesktopSSO module, the browser will behave incorrectly to other modules after it fails authenticating to the WindowsDesktopSSO module. The direct cause of the problem is that after Internet Explorer fails the WindowsDesktopSSO module, the browser becomes incapable of passing callbacks (of other modules) to Access Manager, even if the callbacks are prompted, until the browser is restarted. Therefore all the modules coming after WindowsDesktopSSO will fail due to null user credentials.

See the following documentation for related information:;en-us;308074

Configuring Windows Desktop SSO

Enabling Windows Desktop SSO Authentication is a two-step process:

  1. Create a User in the Windows 2000 Domain Controller.

  2. Setup Internet Explorer.

ProcedureTo Create a User in the Windows 2000 Domain Controller

  1. In the domain controller, create a user account for the Access Manager authentication module.

    1. From the Start menu, go to Programs>Administration Tools.

    2. Select Active Directory Users and Computers.

    3. Create a new user with the Access Manager host name as the User ID (login name). The Access Manager host name should not include the domain name.

  2. Associate the user account with a service provider name and export the keytab files to the system in which Access Manager is installed. To do so, run the following commands:

    ktpass -princ host/hostname.domainname@DCDOMAIN -pass password -mapuser userName-out
    ktpass -princ HTTP/hostname.domainname@DCDOMAIN -pass 
    password -mapuser userName-out hostname

    The ktpass command accepts the following parameters:

    hostname. The host name (without the domain name) on which Access Manager runs.

    domainname . The Access Manager domain name.

    DCDOMAIN. The domain name of the domain controller. This may be different from the Access Manager domain name.

    password . The password of the user account. Make sure that password is correct, as ktpass does not verify passwords.

    userName. The user account ID. This should be the same as hostname.

    Note –

    Make sure that both keytab files are kept secure.

    The service template values should be similar to the following example:

    Service Principal: HTTP/machine1.EXAMPLE.COM@ISQA.EXAMPLE.COM

    Keytab File Name: /tmp/machine1.HTTP.keytab

    Kerberos Realm: ISQA.EXAMPLE.COM

    Kerberos Server Name:

    Return Principal with Domain Name: false

    Authentication Level: 22

  3. Restart the server.

ProcedureTo Set Up Internet Explorer

These steps apply to Microsoft Internet Explorer™ 6 and later. If you are using an earlier version, make sure that Access Manager is in the browser’s internet zone and enable Native Windows Authentication.

  1. In the Tool menu, go to Internet Options>Advanced/Security>Security.

  2. Select the Integrated Windows Authentication option.

  3. Go to Security>Local Internet.

    1. Select Custom Level. In the User Authentication/Logon panel, select the Automatic Logon Only in Intranet Zone option.

    2. Go to Sites and select all of the options.

    3. Click Advanced and add the Access Manager to the local zone (if it is not added already).