Single Sign-On for Java 3.3.2 - Administration Guide

Preparing for Single Sign-on for Java

This section discusses the environment needed for a Single Sign-on for Java deployment. It includes requirements relating to setting up Active Directory, Java application server hosts, and client machines.

• Pre-installation overview
• Network infrastructure
• Configuring Active Directory for Single Sign-on for Java
• Setting up a Java application server host
• Setting up a client machine

Pre-Installation overview

Before you install Single Sign-on for Java successfully there are a number of conditions that must be met. You will need:

• A network architecture which:
  • provides host and client machines suitable for Active Directory operations (see Active Directory environment),
  • includes a Domain Name Service (DNS), and
  • provides reliable Time synchronization service throughout.
• Installation and configuration of Active Directory on your Windows servers. See Configuring Active Directory for Single Sign-on for Java, including Setting up the service account. If you opt to allow delegation, refer to the section on Enabling delegation.
• A Java application server supported by Single Sign-on for Java (see the Release Notes and application-specific documentation), and relevant port access on any firewall between the application server and the Active Directory machine. For production systems, creation of a keytab file on your application server is a recommended option. See Creating keytab files.
• At least one working client capable of supporting SPNEGO or NTLM authentication. See Setting up a client machine. This may involve installation of a supported web browser (see the Release Notes), and its configuration for SPNEGO or NTLM authentication. See Browsers and authentication.

Network infrastructure

Before you install Single Sign-on for Java you will need a network architecture which provides host and client machines suitable for Active Directory operations. The following sections describe the conditions that must be met:

• Active Directory environment
• Domain Name Service (DNS)
• Time synchronization service

Active Directory environment

In order to work with Single Sign-on for Java you will need:

• An Active Directory domain.
• A host running a supported Java application server.
• A client machine joined to the Active Directory domain and with a supported web browser installed.

All machines must have access to a Domain Name Service and a Time Synchronization Service, as outlined in detail below.

Note that:

• The client should be a different host than the application server host; if they are the same, Internet Explorer will perform NTLM instead of SPNEGO.
• As general rule, you should not run Single Sign-on for Java on the same host as Microsoft IIS because it is difficult to configure SPNEGO to work to both of them.