Preparing for Single Sign-on for Java
Preparing for Single Sign-on for Java
This section discusses the environment needed for a Single Sign-on for Java deployment. It includes requirements relating to setting up Active Directory, Java application server hosts, and client machines.
Pre-Installation overview
Before you install Single Sign-on for Java successfully there are a number of conditions that must be met. You will need:
- A network architecture which:
- Installation and configuration of Active Directory on your Windows servers. See Configuring Active Directory for Single Sign-on for Java, including Setting up the service account. If you opt to allow delegation, refer to the section on Enabling delegation.
- A Java application server supported by Single Sign-on for Java (see the Release Notes and application-specific documentation), and relevant port access on any firewall between the application server and the Active Directory machine. For production systems, creation of a keytab file on your application server is a recommended option. See Creating keytab files.
- At least one working client capable of supporting SPNEGO or NTLM authentication. See Setting up a client machine. This may involve installation of a supported web browser (see the Release Notes), and its configuration for SPNEGO or NTLM authentication. See Browsers and authentication.
Network infrastructure
Before you install Single Sign-on for Java you will need a network architecture which provides host and client machines suitable for Active Directory operations. The following sections describe the conditions that must be met:
Active Directory environment
In order to work with Single Sign-on for Java you will need:
- An Active Directory domain.
- A host running a supported Java application server.
- A client machine joined to the Active Directory domain and with a supported web browser installed.
All machines must have access to a Domain Name Service and a Time Synchronization Service, as outlined in detail below.
Note that:
- The client should be a different host than the application server host; if they are the same, Internet Explorer will perform NTLM instead of SPNEGO.
- As general rule, you should not run Single Sign-on for Java on the same host as Microsoft IIS because it is difficult to configure SPNEGO to work to both of them.