Domain Name Service (DNS)
Single Sign-on for Java uses DNS lookups to retrieve important information about Active Directory domains and hosts, for example: a DNS SRV query for “_ldap._tcp.EXAMPLE.COM” to find all the domain controllers for the EXAMPLE.COM domain.
If you are running Single Sign-on for Java on a Windows machine joined to Active Directory, or on UNIX or Linux with Authentication Services, DNS should already be configured correctly.
Otherwise, check whether the DNS server that the machine is using supports SRV resource records such as:
- For locating the domain controllers for a given domain (EXAMPLE.COM): _ldap._tcp.EXAMPLE.COM
- For locating the domain controllers for a given domain (EXAMPLE.COM) in a given Active Directory Site (Brisbane): _ldap._tcp.Brisbane._sites.EXAMPLE.COM
- For locating the global catalogs for a given domain (EXAMPLE.COM): _ldap._tcp.gc._msdcs.EXAMPLE.COM
- For locating the global catalogs for a given domain (EXAMPLE.COM) in a given Active Directory Site (Brisbane): _ldap._tcp.Brisbane._sites.gc._msdcs.EXAMPLE.COM
|
|
Note: If Single Sign-on for Java is unable to locate the DNS servers automatically, use the jcsi.kerberos.nameservers system property to explicitly specify one or more of the DNS servers that Single Sign-on for Java should use. See Appendix: Configuration Parameters for more information. |
Time Synchronization Service
The Kerberos protocol requires that the system clocks on all machines — Active Directory domain controllers, clients, and Single Sign-on for Java-enabled application servers — be within the allowable Active Directory Kerberos clock skew (5 minutes by default).
Time synchronization may be provided automatically if Single Sign-on for Java is running either:
- on a Windows machine joined to Active Directory, or
- on a UNIX or Linux machine running Authentication Services
Otherwise, application server clocks will need to be kept within the allowable clock skew (for example, 5 minutes) of the Active Directory domain controller.
|
|
Note: Clock drift can be particularly severe for hosts running in virtual machines. |
Configuring Active Directory for Single Sign-on for Java
Before you deploy Single Sign-on for Java, you will need to have access to an Administrator account on Active Directory to establish the required Single Sign-on for Java-specific configuration.
Setting up the service account
In order for Single Sign-on for Java to authenticate clients, Single Sign-on for Java must be represented as an object in Active Directory. There are two ways to create this object:
- If you are running Single Sign-on for Java on a UNIX or Linux machine that also has Authentication Services installed, you have the option of using Authentication Services to help with the setup process for Single Sign-on for Java. This alternative setup method is outlined in Setup with Authentication Services .
- Otherwise, setup involves configuration using the Active Directory Users and Computers interface and the use of Active Directory’s setspn tool on your Active Directory domain controller.
The following sections describe the steps for setting up the service account in Active Directory.