In order for SSO to work on Mozilla Firefox on the host where Management Console for Unix is installed, and from a remote browser, you must configure the web browser to use Windows Integrated Authentication to automatically authenticate to the web browser.
To configure a Firefox web browser for SSO
Enter about:config in the URL address field of your web browser.
Enter negotiate in the filter search box.
Locate and configure the following Firefox preferences:
network.negotiate-auth.delegation-uris = https:// network.negotiate-auth.trusted-uris = https://
Save your changes and restart the browser for the changes to take effect.
In order for SSO to work on Windows Internet Explorer on the host where Management Console for Unix is installed, and from a remote browser, you must specify the sites in the Internet Security properties.
To configure an IE web browser for SSO
If system credentials are available, Management Console for Unix attempts single sign-on by default. However, if you are experiencing problems, you can disable single sign-on.
To disable single sign-on
Locate the custom.cfg file.
(See Setting Custom Configuration Settings for general information about customizing configuration settings for the mangement console.)
Add the following system variable to the custom.cfg file to completely disable single sign-on:
#-Dconsole.login.sso.disable=true
To disable single sign-on using the WinSSPI:
#-Dconsole.login.sso.sspi-only=true
Save the custom.cfg file.
Restart the Management Console for Unix service.
(See Start/Stop/Restart Management Console for Unix Service for details.)
If you are experiencing (non-SSO) login difficulties on a Windows server and the log file indicates that SSPI is unable to find the domain, you can disable SSPI and "fall back" to the JCSI provider. To do this you must add a system variable to the custom.cfg configuration file.
|
Note: The drawback of using JCSI on a Windows server is that some integration features (such as, SCP, SSO, and trusted KDC) are unavailable. |
Security Support Provider Interface (SSPI) is used to provide web single sign-on on Windows but limits logins and administration to domains within the same forest as the Windows host. If you are hosting the console on a Windows server joined to a forest different than the one it is administering, then you should disable SSPI. A pure-Java Kerberos implementation will be used instead, but it will not be able to do single-sign-on on Windows.
To disable SSPI
Open the custom.cfg file for editing.
(See Setting Custom Configuration Settings for general information about customizing configuration settings for the mangement console.)
Add the following properties to the custom.cfg file to disable SSPI:
-Dconsole.sspi.disable=true
Or, if your problem is only with TGT validation, add this line:
-Dconsole.sspi.disable-self-test=true
Save the custom.cfg file.
Restart the Management Console for Unix service.
(See Start/Stop/Restart Management Console for Unix Service for details.)
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy