Tuesday, January 27, 2009

Steps to configure Windows Desktop SSO

Source: http://forums.sun.com/thread.jspa?threadID=5361015&tstart=0
Author: jeffcortade

General info

Our environment has external and internal users.
External users are not logging onto a desktop on the AD domain.
Internal users are.
Currently all users have a user in the AD domain and AM authenticates against AD.
The Login method for users is Username and Password.

Our AD has 2 "tiers" We are interested in.


We use AM 7.1 patch 1 and DS 6 All servers are running windows 2003 r 2

the AM servers are members of the top.hill.com AD domain. there are 4 of them

am01 am02 am03 am04.top.hill.com
Sun Directory servers are the same way
dir01 dir02 dir03 dir04.top.hill.com

those are the real hostnames of those systems this is important as apparently kerberos does not like dns aliases.

Users access Access Manager services via


this is just a DNS name pointed to the external interface of the Load Balancers. All traffic currently goes through there all agents are configured to use that for the LoginURL etc ...

So internal and external users all use that URL through the external interface of the LB.

So desktop SSO



all machines are already present in AD as they are joined to the the top.hil.com domain.
find each of those systems in AD and right click on them go to properties. Check the little box that says "Trust Computer for delegation" OK it and ok the resulting scary warning.

Reboot all of the AM machines after doing this.

install the support tools from the windows CD on your DC for top.hill.com if they are not already installed.
you will need the kpass utility to make this work.

Create a User for each host in the Users tree of top.hill.com


add them each to the administrators group and set password to never expire.

on the dc in a command window

create a working directory someplace and CD into it.
As a domain admin for top.hill.com you have to do this. that should be obvious but hey ...

cd into that directory

then run the following substituting your values obviously
you will do this for each host substituting the AM0X with your hostname.
So a total of 8 command for me.

ktpass -princ HTTP/AM0X.top.hill.com@TOP.HILL.COM -pass YourPasswordHere /crypto RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL -mapuser AM0X /out AM0X.HTTP.keytab
ktpass -princ host/AM0X.top.hill.com@TOP.HILL.COM -pass YourPasswordHere /crypto RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL -mapuser AM0X /out AM0X.host.keytab

This generates files in your working directory. These will get copied to each of your AM hosts.

On each AM host create a directory to hold the keytab files
I did it on c:\etc\keytab you will referance the path to this in the Auth modules.
copy all the files you created on the DC to that directory on everyhost.

configure 4 new desktopSSO authentication modules
I named mine

desktopAM01 desktopAM02 desktopAM03 desktopAM04

save all the time as the console is such fun each change click save

once they are created configure each of them something like this

WindowsDesktopSSO params:
principal: HTTP/AM0X.top.hill.com@TOP.HILL.COM
keytab file: c:\etc\keytab\AM0X.HTTP.keytab
realm : TOP.HILL.COM
kdc server: dc0X.top.hill.com

the kdc server is one of the DCs in the top.hill.com domain.

domain principal: false
auth level: any number you like depends on your env 0 works fine unless you are doing something with this.

Once all four are configured.

reboot all the AM servers and restart the webcontainer so AM is accessable.

now loginto a desktop as a user in the near.top.hill.com domain

then acess AM like so


this should take your directly to your successpage without prompting for a username password set.

Once all four work

I setup a link on the login pages of each with a distinct hostnamed URL

"internal Users Login Here" thish points to the above link + a goto

4 holes are configured on the external LB for each am host and the associated hostnames are published externally.

not pretty but i think this is the only way to get it working.

If anyone Knows of a way to get this working using a dns alias such as

AM.hill.com .... which has no associated host or a DC at that level please let me know.

Have a nice day.

No comments:

Post a Comment