Kerberos authentication
IBM® Security Access Manager for Enterprise Single Sign-On supports Kerberos authentication of users in both personal and shared workstations.
How it works
Users can log on to Windows Desktops by using any supported Windows authentication mechanism, including the default Credential Providers that are packaged with the Windows operating system. For example, users might use a Smart Card that authenticates against an Active Directory certification authority (CA) to log in to Windows. Once the Windows Desktop is created, AccessAgent uses the Kerberos authentication tickets of the logged-in Windows Desktop and logs in automatically.
This mode might be used to integrate with any Windows Authentication solution and does not require the authentication factor to be registered with IBM Security Access Manager for Enterprise Single Sign-On.
- IBM Security Access Manager for Enterprise Single Sign-On does not use or synchronize the Active Directory user password in this mode. The Active Directory password must be synchronized by using a provisioning system. For example, see "Using Provisioning API for account setup and maintenance" in the IBM Security Access Manager for Enterprise Single Sign-On Provisioning Integration Guide.
- Users might log in to the Terminal Server by using any supported authentication mechanisms. For example, domain passwords, smart cards and finger prints (via Windows Biometric Foundation). Once the user is authenticated to the remote session, AccessAgent logs on automatically by using the remote desktop Kerberos authentication tickets.
- ESSO Credential Provider is not enabled in this mode.