IMPORTANT:The Kerberos SSO Options policy is not available in Advanced Authentication as a Service (SaaS) version
In this policy, you can select an Active Directory repository that points to a domain for which you want to configure the single sign-on (SSO). Kerberos SSO is supported for the, , , and events.
The Figure 13-2 displays the architecture of Kerberos SSO.
Figure 13-2 Kerberos SSO Architecture
By default, the basic authentication window is displayed in your browser while accessing an Advanced Authentication portal. Advanced Authentication servers’ sites must be added to the local intranet in the browser on the domain-joined workstations to avoid it. Perform the following steps to do it for Internet Explorer:
From themenu, navigate to > >
In thewindow, click the tab and select
In thewindow, click
Add the Advanced Authentication Servers’ sites to the zone. For example: https://v5.netiq.loc or v5.netiq.loc.
Perform the following steps to configure Advanced Authentication to perform an SSO authentication:
Ensure that the Multitenancy options policy is disabled.
Select Active Directory as repository in.
NOTE:This feature works only for a single Active Directory repository at a time.
Log in to a Domain Controller.
Generate the keytab files for the Kerberos authentication for each Advanced Authentication server.
A Sample command to create the keytab file is:
ktpass /princ HTTP/aas1.netiq.loc@NETIQ.LOC /mapuser email@example.com /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass Q1w2e3r4 /out C:\Temp\keytab_aas1srv
aas1 is a server name (according to the record in DNS), the domain name is .
aas1srv is a service account created in the Active Directory for the Advanced Authentication server. The password of this account is Q1w2e3r4.The keytab file keytab_aas1srv is created in the C:\Temp folder.
Go to the Advanced Authentication Administration portal.
Scroll down to thesection.
Clickand select a keytab file for the Advanced Authentication server.
Clickon the Global Master server.
Open the properties of any supported event:, , or .
Scroll down and setto .
IMPORTANT:You must add the Advanced Authentication server sites to the local intranet in the browser of the domain-joined workstations. To know how to do this for the Internet Explorer, see the above procedure.
By default, Firefox browser does not support SSO. If you use the Firefox browser, you can enable SSO by performing the steps defined on the Single Sign-On in Firefox page.
NOTE:The basic authentication window is displayed while accessing a configured Advanced Authentication portal, if theoption is enabled for event and security is set to High for in the Internet Explorer.