If you are running Single Sign-on for Java on a Unix machine that does NOT have Authentication Services installed, use the Active Directory Users and Computers interface and Active Directory's setspn tool on your Active Directory domain controller to set up the service account in Active Directory. The following sections describe how to perform this setup.
To create an Active Directory account for Single Sign-on for Java
This opens the New Object-User window.
Figure 6: New Object-User window (Windows Server 2008 example)
A dialog box displays.
Figure 7: Account tab for user (Windows Server 2008 example)
The default Kerberos encryption type used by Active Directory is RC4.
Single DES (56 bit) encryption is available for compatibility with other Kerberos implementations, but not recommended as the preferred method.
If the Domain Controller you are configuring is running at the Windows Server 2008 or higher domain functional level, the newer and stronger AES 256 bit and AES 128 bit Kerberos encryption types are available, and appear in your configuration panel. The Kerberos AES encryption types are not available in Windows Server 2003 and earlier environments.
When more than one Kerberos encryption is configured for your system, the strongest form is generally preferred. So turning on Kerberos AES 256 encryption will make it the type of choice.
In general, the recommended order of suitability and strength of Kerberos encryption types for Single Sign-on for Java is:
For a client (for example, Internet Explorer) to be able to authenticate to Single Sign-on for Java, it needs to locate the service account for the Single Sign-on for Java service, as created in Setup using Active Directory tools. A browser for example, does this by looking up a Service Principal Name (SPN) in a form like HTTP/appservhost1.example.com. In order for that to succeed, you must map the SPN to the service account. This action is taken on your domain controller.
To create a mapping between the service account and an SPN
For more information on the availability and installation of this utility, check the Microsoft site at http://support.microsoft.com.
setspn -A HTTP/appservhost1.example.com vsj_appservhost1
setspn -A HTTP/appservhost1 vsj_appservhost1
Note: The “setspn -A” command does not check existing mappings before creating a new one, and may silently create duplicates. An error message in the form “Server not found in Kerberos database” may then appear if you attempt to access a duplicated mapping, as though the specified SPN doesn’t exist. You will need to eliminate duplicated entries before a mapping will work.
“setspn -S” checks for duplicate SPN mappings within the current domain before adding a new mapping. “setspn -F -S” checks over the entire forest.