Management Console for Unix uses the host computer's Active Directory credentials to publish its address to the Control Center, perform single sign-on, and to validate a user's log on. On a Microsoft Windows server, the host computer's credentials are available by means of the Windows SSPI, but this limits Management Console for Unix to managing hosts in the same forest to which the Windows server is joined.
If you wish to use Management Console for Unix to manage a foreign domain or forest from a Windows server, then you must disable SSPI. See Disable SSPI for Single Sign-on. However disabling SSPI will disable single sign-on capabilities.
Note: To perform single sign-on, you must
- Configure Management Console for Unix for Active Directory.
- Join your Management Console for Unix server to an Active Directory domain.
If your Management Console for Unix server is on a Linux platform, you must have Authentication Services installed to join Active Directory.
- Join the client host (where the browser is located) to the Active Directory domain.
- Login to the browser host using an Active Directory account.
On a Unix server, Management Console for Unix looks for the host computer's credentials by searching for a Kerberos keytab file in the following default locations:
- /etc/opt/quest/vas/HTTP.keytab
- /etc/opt/quest/vas/host.keytab
To override the default location, set the console.keytab system property in the custom.cfg configuration file, as follows:
-Dconsole.keytab=<PropertyValue>
See Setting custom configuration settings for more information about overriding the default configuration settings.
If Management Console for Unix cannot find host computer credentials, it will run without host credentials by relying on a correctly configured DNS to find foreign domain controllers. This means that Management Console for Unix will be unable to publish its address to the Control Center, perform single sign-on, or fully validate passwords used when logging on.