The Windows Desktop SSO Authentication module is a Kerberos-based authentication plug-in module used for Windows 2000™. It allows a user who has already authenticated to a Kerberos Distribution Center (KDC) to authenticate to Access Manager without re-submitting the login criteria (Single Sign-on).
The user presents the Kerberos token to the Access Manager through the SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) protocol. In order to perform Kerberos-based Single Sign-on to Access Manager through this authentication module, the user must, on the client side, support the SPNEGO protocol to authenticate itself. In general, any user that supports this protocol should be able to use this module to authenticate to Access Manager. Depending on the availability of the token on the client side, this module provides a SPENGO token or a Kerberos token (in both cases, the protocols are the same). Microsoft Internet Explorer (5.01 or later) running on Windows 2000 (or later) currently supports this protocol. In addition, Mozilla 1.4 on Solaris (9 and 10) has SPNEGO support, but the token returned is only a KERBEROS token, because SPNEGO is not supported on Solaris.
You must use JDK 1.4 or above to utilize the new features of Kerberos V5 authentication module and Java GSS API to perform Kerberos based SSO in this SPNEGO module.
If you are using Microsoft Internet Explorer 6.x when for WindowsDesktopSSO authentication and the browser does not have access to the user’s Kerberos/SPNEGO token that matches the (KDC) realm configured in the WindowsDesktopSSO module, the browser will behave incorrectly to other modules after it fails authenticating to the WindowsDesktopSSO module. The direct cause of the problem is that after Internet Explorer fails the WindowsDesktopSSO module, the browser becomes incapable of passing callbacks (of other modules) to Access Manager, even if the callbacks are prompted, until the browser is restarted. Therefore all the modules coming after WindowsDesktopSSO will fail due to null user credentials.
See the following documentation for related information:
Enabling Windows Desktop SSO Authentication is a two-step process:
Create a User in the Windows 2000 Domain Controller.
Setup Internet Explorer.
In the domain controller, create a user account for the Access Manager authentication module.
Associate the user account with a service provider name and export the keytab files to the system in which Access Manager is installed. To do so, run the following commands:
ktpass -princ host/hostname.domainname@DCDOMAIN -pass password -mapuser userName-out hostname.host.keytab ktpass -princ HTTP/hostname.domainname@DCDOMAIN -pass password -mapuser userName-out hostname .HTTP.keytab
The ktpass command accepts the following parameters:
hostname. The host name (without the domain name) on which Access Manager runs.
domainname . The Access Manager domain name.
DCDOMAIN. The domain name of the domain controller. This may be different from the Access Manager domain name.
password . The password of the user account. Make sure that password is correct, as ktpass does not verify passwords.
userName. The user account ID. This should be the same as hostname.
Make sure that both keytab files are kept secure.
The service template values should be similar to the following example:
Service Principal: HTTP/machine1.EXAMPLE.COM@ISQA.EXAMPLE.COM
Keytab File Name: /tmp/machine1.HTTP.keytab
Kerberos Realm: ISQA.EXAMPLE.COM
Kerberos Server Name: machine2.EXAMPLE.com
Return Principal with Domain Name: false
Authentication Level: 22
Restart the server.
These steps apply to Microsoft Internet Explorer™ 6 and later. If you are using an earlier version, make sure that Access Manager is in the browser’s internet zone and enable Native Windows Authentication.
In the Tool menu, go to Internet Options>Advanced/Security>Security.
Select the Integrated Windows Authentication option.
Go to Security>Local Internet.