A Configuring EDQ to support Windows Integrated Authentication (Kerberos)

The appendix contains information on configuring EDQ to work with Kerberos and Active Directory.

An integration of EDQ with Active Directory using login.properties (see Configuring External User Management (LDAP) directly with EDQ) can be configured to support single sign on - SSO - in which the user logs into Windows and then does not need to log again into EDQ. This is supported on both WebLogic and Tomcat.

To enable SSO, the EDQ server must be set up to enable Kerberos authentication from the client PC. This authentication is achieved using the standard GSSAPI token exchange mechanism (RFC 4121). The client contacts the domain controller (DC) to request access to a service provided by the server application. The response from the DC is encoded into a token sent to the server by the client. The server validates this token and generates another token to send to the client. The token exchange can continue until client and server have established a secure context. In practice this exchange never requires more than one token in either direction.

At start up time the server application sets up 'accept' credentials which it uses to initialize its half of the security context.