Sun Java System Federation Manager 7.0 User's Guide

Windows Desktop SSO

This module is specific to Windows and is also known as Kerberos authentication. The user presents a Kerberos token to Federation Manager through the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol. The Windows Desktop SSO authentication plug-in module provides a client (user) with desktop single sign-on. This means that a user who has already authenticated with a key distribution center can be authenticated with Federation Manager without having to provide the login information again. The Windows Desktop SSO attributes are global attributes. The attributes are:

Service Principal

Specifies the Kerberos principal that is used for authentication. Use the following format:


hostname and domainname represent the host name and domain name of the Federation Manager instance. dc-domain-name is the Kerberos domain in which the Windows 2000 Kerberos server (domain controller) resides. It is possibly different from the domain name of Federation Manager.

Keytab File Name

This attribute specifies the Kerberos keytab file that is used for authentication. Use the following format, although the format is not required:


hostname is the host name of the Federation Manager instance.

Kerberos Realm

This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the Federation Manager domain name.

Kerberos Server Name

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Return Principal with Domain Name

If enabled, this attributes allows Federation Manager to automatically return the Kerberos principal with the domain controller's domain name during authentication.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.

Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.