Configure Windows desktop single sign-on
There are many configuration tasks that complete to implement Windows desktop single sign-on using Kerberos authentication for WebSEAL on the appliance.
To configure WebSEAL on the appliance for SPNEGO authentication, complete each of the following tasks:
For troubleshooting information, see Troubleshoot for Windows desktop single sign-on.
- Configure the embedded Kerberos client
We must configure the Kerberos client that is embedded in ISAM.- Create an identity for WebSEAL in an Active Directory domain
To participate in a Kerberos exchange with a browser, a WebSEAL server needs an identity in the Active Directory Kerberos domain.- Map a Kerberos principal to an Active Directory user
We must map a Kerberos principal to the Active Directory user representing the WebSEAL instance.- Verify the authentication of the web server principal
Verify the authentication of the web server principal to the KDC.- Verify WebSEAL authentication with the keytab file
Ensure that WebSEAL can use the generated keytab file to authenticate to the KDC.- Add service name and keytab file entries
We must configure the Kerberos service name and the name of the keytab file.- Enable SPNEGO for WebSEAL
We must configure WebSEAL to enable SPNEGO.- Remove cached tokens from the Windows client
For SPNEGO to work correctly, we must remove any cached Kerberos tokens from the Windows client. When a client contains cached Active Directory credentials, SPNEGO might not work correctly on the client until it obtains the new credentials.- Configure the Internet Explorer client
If we use Internet Explorer, configure the browser to use the SPNEGO protocol.- Troubleshoot for Windows desktop single sign-on
Parent topic: Windows desktop single sign-on
Related concepts
Related reference