Single Sign-on for Java uses DNS lookups to retrieve important information about Active Directory domains and hosts, for example: a DNS SRV query for “_ldap._tcp.EXAMPLE.COM” to find all the domain controllers for the EXAMPLE.COM domain.
If you are running Single Sign-on for Java on a Windows machine joined to Active Directory, or on UNIX or Linux with Authentication Services, DNS should already be configured correctly.
Otherwise, check whether the DNS server that the machine is using supports SRV resource records such as:
|
Note: If Single Sign-on for Java is unable to locate the DNS servers automatically, use the jcsi.kerberos.nameservers system property to explicitly specify one or more of the DNS servers that Single Sign-on for Java should use. See Appendix: Configuration Parameters for more information. |
The Kerberos protocol requires that the system clocks on all machines — Active Directory domain controllers, clients, and Single Sign-on for Java-enabled application servers — be within the allowable Active Directory Kerberos clock skew (5 minutes by default).
Time synchronization may be provided automatically if Single Sign-on for Java is running either:
Otherwise, application server clocks will need to be kept within the allowable clock skew (for example, 5 minutes) of the Active Directory domain controller.
|
Note: Clock drift can be particularly severe for hosts running in virtual machines. |
Before you deploy Single Sign-on for Java, you will need to have access to an Administrator account on Active Directory to establish the required Single Sign-on for Java-specific configuration.
In order for Single Sign-on for Java to authenticate clients, Single Sign-on for Java must be represented as an object in Active Directory. There are two ways to create this object:
The following sections describe the steps for setting up the service account in Active Directory.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center