Configure WebSEAL to enable Kerberos single sign-on

To enable Kerberos single sign-on for a junction, set the value of the kerberos-sso-enable entry in the [junction] stanza to yes.

For information about the [junction] stanza, see [junction] stanza.

Steps

  1. Select Web > Manage > Reverse Proxy.

  2. Create a new WebSEAL instance.

  3. Select the instance.

  4. Click Manage > Configuration File.
  5. Locate the [junction] stanza.

  6. Update the configuration items accordingly. For example:
    kerberos-sso-enable = yes
    kerberos-keytab-file = webseal.keytab
    kerberos-principal-name = HTTP/webseal@AD_DOMAIN
    kerberos-service-name = HTTP/target_service.ad_domain.com@AD_DOMAIN.COM
    These SPNs are set in Active Directory in Create the WebSEAL user in Active Directory. The domain names are case-sensitive and must be uppercase.

    To extend Kerberos SSO support to users on domains other than the WebSEAL service account domain, use the kerberos-user-identity stanza entry to enable and define a custom user principal name (UPN).

  7. Click Save.

  8. Deploy the changes.
  9. Restart the WebSEAL instance.

Parent topic: Single sign-on using Kerberos constrained delegation