Configure WebSEAL to enable Kerberos single sign-on
To enable Kerberos single sign-on for a junction, set the value of the kerberos-sso-enable entry in the [junction] stanza to yes.
For information about the [junction] stanza, see [junction] stanza.Steps
- Select Web > Manage > Reverse Proxy.
- Create a new WebSEAL instance.
- Select the instance.
- Click Manage > Configuration File.
- Locate the [junction] stanza.
- Update the configuration items accordingly. For example:
kerberos-sso-enable = yes kerberos-keytab-file = webseal.keytab kerberos-principal-name = HTTP/webseal@AD_DOMAIN kerberos-service-name = HTTP/target_service.ad_domain.com@AD_DOMAIN.COMThese SPNs are set in Active Directory in Create the WebSEAL user in Active Directory. The domain names are case-sensitive and must be uppercase.To extend Kerberos SSO support to users on domains other than the WebSEAL service account domain, use the kerberos-user-identity stanza entry to enable and define a custom user principal name (UPN).
- Click Save.
- Deploy the changes.
- Restart the WebSEAL instance.
Parent topic: Single sign-on using Kerberos constrained delegation