Eric's Blog Eric Knittel's Blog

This is intended as a How-To for configuring the WindowsDesktopSSO Authentication module for OpenSSO.

I have used these steps for the following scenarios:

• Access Manager 7.0 authenticating to Windows 2000 Domain
• OpenSSO Enterprise 8.0 authenticating to Windows 2003 Domain

 There are four steps to enabling the WindowsDesktopSSO module:

1. Create an account in AD
2. Create & Distribute the keytab file
   
3. Create & Configure the Authentication Module
4. Set up the browser

In the steps below, the FQDN for the OpenSSO server is idpserver.example.com.   The AD Domain is EXAMPLE.COM.

1. Create an account in AD

Create a user account in the Active Directory.  The account should get created on a top level domain server containing the global catalog.  The name of the account should be the hostname of the OpenSSO server (i.e. idpserver).

2. Create & Distribute the keytab file

• On the same AD domain controller where the user was created, generate a keytab file as follows:
• From the Windows Server Installation CD, install system tools. This will install the ktpass command.
• Execute the ktpass command:
• example: ktpass /pass Passw0rd /mapuser idpserver /princ HTTP/idpserver.example.com@EXAMPLE.COM /ptype KRB5_NT_PRINCIPAL /Target EXAMPLE.COM
• Execute the ktpass command:
• example: ktpass /out idpserver.HTTP.keytab /princ HTTP/idpserver.example.com@EXAMPLE.COM /ptype KRB5_NT_PRINCIPAL /Target EXAMPLE.COM
• Copy the keytab file to some location on the OpenSSO server (i.e. /opt/opensso/idpserver.HTTP.keytab)

3. Create & Configure the Authentication Module

Log into the OpenSSO Console. Click the Access Control tab and then click the Top Level realm (or the realm you are adding the module to).

Click the Authentication Tab

In the Module Instances section, Click New

Enter a name for the module and select the radio button for "Windows Desktop SSO".  Click Save.

In the Module Instances section, Click on the new WindowsDesktopSSO Module

Complete the form as follows:

• Service Principal: HTTP/idpserver.EXAMPLE.COM@EXAMPLE.COM
• Keytab File Name: /opt/opensso/idpserver.HTTP.keytab
• Kerberos Realm: EXAMPLE.COM
• Kerberos Server Name: domainserver1.example.com
• Return Principal with Domain Name: Unchecked (in my example)
• Authentication Level:  0  (Set this higher if you are using auth levels)

Click Save. 

On the Authentication tab, scroll down to Authenticaiton Chaining and click New

Give a name to the new Authentication Chain

In the next screen, select the WindowsDesktopSSO module and Required, click Save.

On the Authentication tab, change the Default Authentication Chain to DesktopSSO

4. Set up the Browser

• Internet Explorer (6 or greater)
• In the Tool menu, go to Internet Options > Advanced > Security.
• Select the Integrated Windows Authentication option. (default)
• Go to Security>Local Internet.
• Select Custom Level. In the User Authentication/Logon panel, select the Automatic Logon Only in Intranet Zone option.(default)
• Go to Sites and select all of the options.(default)
• Click Advanced and add the Access Manager to the local zone (if it is not added already) add: idpserver.example.com

• Firefox
• Support for SPNEGO is required for Kerberos-based single sign-on. In Firefox, this is turned off by default. Firefox has two preferences that allow SPNEGO to be turned on:
  1.    network.negotiate-auth.trusted-uris     /* defaults to empty string */
  2.    network.negotiate-auth.delegation-uris  /* defaults to empty string */
  
  Edit-> c:\Documents and Settings\<current user>\Application Data\Mozilla\Firefox\Profiles<user profile>\prefs.js
  
  Add the following lines to this file (using your opensso servername in place of idpserver.example.com):
  
  user_pref("network.negotiate-auth.delegation-uris", "idpserver.example.com");
  user_pref("network.negotiate-auth.trusted-uris", "idpserver.example.com");
  

The End :)