Configure WebSEAL to enable Kerberos single sign-on

To enable Kerberos single sign-on for a junction, set the value of the kerberos-sso-enable entry in the [junction] stanza to yes.

For information about the [junction] stanza, see [junction] stanza.

Steps

1. Select Web > Manage > Reverse Proxy.

2. Create a new WebSEAL instance.

3. Select the instance.

4. Click Manage > Configuration File.
5. Locate the [junction] stanza.

6. Update the configuration items accordingly. For example:

   kerberos-sso-enable = yes
   kerberos-keytab-file = webseal.keytab
   kerberos-principal-name = HTTP/webseal@AD_DOMAIN
   kerberos-service-name = HTTP/target_service.ad_domain.com@AD_DOMAIN.COM

   These SPNs are set in Active Directory in Create the WebSEAL user in Active Directory. The domain names are case-sensitive and must be uppercase.

   To extend Kerberos SSO support to users on domains other than the WebSEAL service account domain, use the kerberos-user-identity stanza entry to enable and define a custom user principal name (UPN).

7. Click Save.

8. Deploy the changes.
9. Restart the WebSEAL instance.

Parent topic: Single sign-on using Kerberos constrained delegation