Kerberos authentication is supported for the following configuration:
Clients must be running one of the following operating systems:
Windows XP with Internet Explorer 7 or 8. Some minimal testing has been done with Internet Explorer 6. To make Kerberos work with Internet Explorer 6, you need to enable integrated Windows authentication. For information about how to enable this feature, see “Authentication Uses NTLM instead of Kerberos”.
Windows Vista with the latest version of Internet Explorer.
Windows 7 with Internet Explorer 8. Be aware of the following issues:
Internet Explorer needs to have the Internet Options configured to trust the URL of the Identity Server.
The keytab file must be configured to trust more than DES encryption. If you created your keytab file for an earlier version of Access Manager where only DES was supported, you need to recreate the keytab file. For the new procedure, see Section 5.2.3, Configuring the Keytab File.
For more information about these issues, see TID 7006036.
Active Directory must be configured to contain entries for both users and their machines. Active Directory must be running on Windows Server 2003 Enterprise SP2, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012.
Active Directory and the Identity Server must be configured to use a Network Time Protocol server. If time is not synchronized, authentication fails.
If a firewall separates the Active Directory Server from the Identity Server, the firewall needs to open ports TCP 88 and UDP 88 so that the Identity Server can communicate with the KDC on the Active Directory Server.