Show Advanced KnowledgeHide Advanced KnowledgeKerberos negotiation
Show Advanced KnowledgeHide Advanced KnowledgeTrue single-sign-on requires the Kerberos method "negotiate" to work. Here some more complex steps are needed to succeed.
- Create an account in the Kerberos database
- Create keytable files
- Modify site configuration
Kerberos negotiation does not transmit authentication data or encryption keys between the Kerberos service, Apache and the client. Successful negotiation needs some prerequisites:
- proper DNS and IP configuration and connectivity
- correct use of the names of the Kerberos principals
- syncronization of clocks between all positions
I will try to explain the useof principal names and Kerberos communications derived from experiences in my test environment. If Kerberos behaves different in your environment, I would like to know to enhance this document.