13.18 Kerberos SSO Options

IMPORTANT:The Kerberos SSO Options policy is not available in Advanced Authentication as a Service (SaaS) version

In this policy, you can select an Active Directory repository that points to a domain for which you want to configure the single sign-on (SSO). Kerberos SSO is supported for the AdminUI, Authenticators Management, Helpdesk, and Report logon events.

The Figure 13-2 displays the architecture of Kerberos SSO.

Figure 13-2 Kerberos SSO Architecture

By default, the basic authentication window is displayed in your browser while accessing an Advanced Authentication portal. Advanced Authentication servers’ sites must be added to the local intranet in the browser on the domain-joined workstations to avoid it. Perform the following steps to do it for Internet Explorer:

  1. From the Start menu, navigate to Control Panel > Network and Internet > Internet Options.

  2. In the Internet Properties window, click the Security tab and select Local intranet.

  3. Click Sites.

  4. In the Local intranet window, click Advanced.

  5. Add the Advanced Authentication Servers’ sites to the zone. For example: https://v5.netiq.loc or v5.netiq.loc.

  6. Click Close.

Perform the following steps to configure Advanced Authentication to perform an SSO authentication:

  1. Ensure that the Multitenancy options policy is disabled.

  2. Go to Policies > Kerberos SSO options.

  3. Select Active Directory as repository in Repository.

    NOTE:This feature works only for a single Active Directory repository at a time.

  4. Click Save.

  5. Log in to a Domain Controller.

  6. Generate the keytab files for the Kerberos authentication for each Advanced Authentication server.

    A Sample command to create the keytab file is:

    ktpass /princ HTTP/aas1.netiq.loc@NETIQ.LOC /mapuser aas1srv@authasas.local /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass Q1w2e3r4 /out C:\Temp\keytab_aas1srv


    • aas1 is a server name (according to the record in DNS), the domain name is netiq.loc.

    • aas1srv is a service account created in the Active Directory for the Advanced Authentication server. The password of this account is Q1w2e3r4.The keytab file keytab_aas1srv is created in the C:\Temp folder.

  7. Go to the Advanced Authentication Administration portal.

  8. Click Server Options.

  9. Scroll down to the Keytab file section.

  10. Click Browse and select a keytab file for the Advanced Authentication server.

  11. Click Upload.

  12. Repeat Step 8 to Step 11 for the other Advanced Authentication servers.

  13. Click Events on the Global Master server.

  14. Open the properties of any supported event: AdminUI, Authenticators Management, Helpdesk, or Report logon.

  15. Scroll down and set Allow Kerberos SSO to ON.

IMPORTANT:You must add the Advanced Authentication server sites to the local intranet in the browser of the domain-joined workstations. To know how to do this for the Internet Explorer, see the above procedure.

By default, Firefox browser does not support SSO. If you use the Firefox browser, you can enable SSO by performing the steps defined on the Single Sign-On in Firefox page.

NOTE:The basic authentication window is displayed while accessing a configured Advanced Authentication portal, if the Kerberos SSO option is enabled for Authenticators Management event and security is set to High for Local intranet in the Internet Explorer.