SPNEGO compatibility with other authentication methods

WebSEAL support for Kerberos authentication is compatible with several WebSEAL authentication methods.

The following WebSEAL authentication methods are compatible:

• Basic authentication
• Forms authentication
• HTTP header authentication
• LTPA authentication
• Failover authentication

  The failover cookie failover mechanism supports SPNEGO authenticated users.

• Cross domain single sign-on
• SSL certificate authentication
• External authentication interface

When SPNEGO is configured with another authentication method, WebSEAL simultaneously sends both an SPNEGO challenge and an HTML form login to the browser. Browsers that support SPNEGO respond with Kerberos authentication. Browsers that do not support SPNEGO display the login form.

Compatibility between Kerberos authentication and WebSEAL e-community single sign-on is limited. A WebSEAL server can be an e-community master authentication server (MAS) and support SPNEGO. However, a WebSEAL server cannot be an e-community subordinate and also support SPNEGO.

WebSEAL authentication strength policy (step-up authentication) from Kerberos authentication to other authentication methods is supported.

When Kerberos authentication is enabled, only the following methods of maintaining session state are supported:

• SSL session IDs
• HTTP cookies
• HTTP header session keys

Kerberos authentication is compatible with the automatic tag-value retrieval support provided by the ISAM entitlements service. Therefore, it is possible to add extended attributes to a user's credential after the user has authenticated with SPNEGO.

Parent topic: Windows desktop single sign-on concepts