The use cases below explain the end user experience using single sign-on with Kerberos. Use this information while troubleshooting any end user authentication issues.
Meet the following preconditions:
Configure the appliance.
Do not configure Integrated Windows authentication (Kerberos).
Do not configure single sign-on.
The users access the link for the SaaS application through the basic landing page or a company landing page.
The appliance automatically redirects the users to a login screen on the browser.
When users enter their Active Directory logon names and passwords successfully, the appliance authenticates the users into the SaaS application.
This behavior is the same whether the users are inside or outside of the corporate firewall.
No exceptions.
Meet the following preconditions:
Enable Integrated Windows authentication in the appliance for user authentication. For more information, see Configuring the Appliance to Use Integrated Windows Authentication with Kerberos
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
Enable Kerberos authentication in Active Directory.
The users authenticate to Active Directory when logging on to their workstation or laptop.
Select the default Advanced options setting of Enable Integrated Windows Authentication in your browser.
Configure the user browsers to accept the Kerberos ticket. For more information, see Configuring the End User Browsers for Kerberos Authentication
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
The user authenticates to Active Directory when logging on to their workstation or laptop.
The user accesses the link for the SaaS application through the basic landing page or a company landing page.
The browser automatically redirects to the appliance for authentication, then the user seamlessly logs in to the SaaS application using single sign-on with the Kerberos ticket.
No exceptions.
Meet the following preconditions:
Enable Integrated Windows authentication in the appliance for user authentication. For more information, see Configuring the Appliance to Use Integrated Windows Authentication with Kerberos
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
Enable Kerberos authentication in Active Directory.
The user authenticates to Active Directory when logging on to their workstation or laptop.
Select the default Advanced options setting of Enable Integrated Windows Authentication in the user’s browser.
Do not configure the user browsers to accept the Kerberos tickets. Do not perform the steps in Configuring the End User Browsers for Kerberos Authentication
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
The user authenticates to Active Directory when logging on to their workstation or laptop.
The user accesses the link for the SaaS application through the basic landing page or a company landing page.
The browser automatically redirects to the appliance for authentication to a pop-up.
Users enter their corporate usernames and passwords.
Exceptions: Users successfully log in after entering their corporate usernames and passwords using IE or Firefox.
Meet the following preconditions:
Enable Integrated Windows authentication in the appliance for user authentication. For more information, see Configuring the Appliance to Use Integrated Windows Authentication with Kerberos
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
The user logs on to the local computer, but not into Active Directory.
Do not configure the user browsers to accept the Kerberos tickets. Do not perform the steps in Configuring the End User Browsers for Kerberos Authentication
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
Select the default Advanced options setting of Enable Integrated Windows Authentication in your browser.
The user logs in to the local computer, but does not log in to Active Directory.
The user accesses the link for the SaaS application through the basic landing page or a company landing page.
The browser automatically redirects to the appliance for authentication.
The user enters in their corporate usernames and passwords in the pop-up.
Users successfully log in when they enter their corporate usernames and passwords using IE or Firefox.
Meet the following preconditions:
Enable Integrated Windows authentication in the appliance for user authentication. For more information, see Configuring the Appliance to Use Integrated Windows Authentication with Kerberos
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
Log into your local computer, but do not log in to Active Directory.
Do not configure the user browsers to accept the Kerberos tickets. Do not perform the steps in Configuring the End User Browsers for Kerberos Authentication
in the Installation and Configuration Guide for Access Gateway for Cloud 1.0.0 Early Access.
Select the default Advanced options setting of Enable Integrated Windows Authentication in the user browsers.
The user logs in to the local computer, but does not log in to Active Directory.
The user accesses the link for the SaaS application through the basic landing page or a company landing page.
The browser automatically redirects to the appliance for authentication.
The user enters their corporate usernames and passwords in the pop-up.
Users successfully log in after they enter their corporate usernames and passwords using IE or Firefox.