Kerberos authentication limitations
Some WebSEAL features are not supported with Kerberos authentication.
If we are using Kerberos authentication, the following limitations apply:
- POP or session-timer-based reauthentication of Kerberos authenticated clients is not supported.
- Use pkmspasswd to change a password is not supported.
- Clients who are currently authenticated with SPNEGO cannot log out of WebSEAL. Clients must log out from the workstation. Clients that access the WebSEAL pkms command pages, except switch user, receive the PKMS help page.
- Reauthentication when the inactive session timer expires is not supported for SPNEGO clients.
The user cache entry is deleted. Information in the header received from the SPNEGO client is used to reauthenticate. The client is not required to log in again, but the client receives a new session cache entry.
- WebSEAL does not support reauthentication when a user accesses an object with a reauthentication policy attached.
In this case, access is denied and the user receives a message that states reauthentication is required.
- Microsoft NT LAN Manager (NTLM) authentication is not supported.
- Use alternate user principal name (UPN) format is not supported.
The default format for the userPrincipalName attribute in Active Directory is user_shortname@domain, where domain is the Active Directory domain in which the user was created.
For example, a user that is created in the Active Directory domain child.domain.com might have a UPN of user@child.domain.com. However, a user can be created with an alternate UPN format, also called e-mail format, where the domain need not be the actual Active Directory domain name. For example, the user user@domain.com can be created in the child.domain.com Active Directory domain.
Security Verify Access Kerberos authentication only supports the default format of the userPrincipalName attribute as the Active Directory user identity. The use of the alternate UPN format is not supported if we are using Kerberos authentication.
Parent topic: Windows desktop single sign-on concepts