To enable Kerberos single sign-on for a junction, set the
value of the kerberos-sso-enable entry in the [junction] stanza
to yes
.
About this task
For more information about the [junction] stanza, see [junction] stanza.
- From the top menu, select
.
- Create a new WebSEAL instance.
- Select the instance.
- Click .
- Locate the [junction] stanza.
- Update the configuration items accordingly.
For
example:
kerberos-sso-enable = yes
kerberos-keytab-file = webseal.keytab
kerberos-principal-name = HTTP/webseal@AD_DOMAIN
kerberos-service-name = HTTP/target_service.ad_domain.com@AD_DOMAIN.COM
To extend Kerberos SSO support
to users on domains other than the WebSEAL service account domain, use the kerberos-user-identity stanza entry to enable and define a custom user principal name
(UPN).
- Click Save.
- Deploy the changes.
- Restart the WebSEAL instance.