Chat now with support
Chat with Support

Single Sign-On for Java 3.3.2 - Administration Guide

About this guide Introducing Single Sign-on for Java Preparing for Single Sign-on for Java Deploying Single Sign-on for Java
Getting started with Single Sign-on for Java Single Sign-on for Java and your web applications Setting up logging Controlling access to resources
Security Issues Maintenance and Troubleshooting Appendix: Configuration Parameters Appendix: Using the JKTools

Setup using Active Directory tools

If you are running Single Sign-on for Java on a Unix machine that does NOT have Authentication Services installed, use the Active Directory Users and Computers interface and Active Directory's setspn tool on your Active Directory domain controller to set up the service account in Active Directory. The following sections describe how to perform this setup.

Creating a service account

To create an Active Directory account for Single Sign-on for Java

  1. Log onto a domain controller for the Active Directory domain.
  2. Click the Start menu, navigate to Programs | Administrative Tools.
  3. Click Active Directory Users and Computers.
  4. Click the Users folder to display a list of users, on the Action menu, point to New, and then click User.

    This opens the New Object-User window.

    Figure 6: New Object-User window (Windows Server 2008 example)

  5. Enter a name and logon name for the new service, and click Next.
  6. The user name should consist of standard alphanumeric characters and no whitespace, as it needs to be entered in a command prompt later.
  7. On the next screen, enter a password for the service. Ensure that User must change password at next logon is not selected, and Password Never Expiresis selected. Click Next, and then Finish.
  8. Right-click the user you just entered in the User folder list, and then click Properties.

    A dialog box displays.

  9. Select the Account tab.
  10. In the Account options area, scroll down to review the available encryption options for Kerberos operations. See notes on options available below.
  11. When option choices are finalized here, click OK.

    Figure 7: Account tab for user (Windows Server 2008 example)

Kerberos Encryption Types for Active Directory

The default Kerberos encryption type used by Active Directory is RC4.

Single DES (56 bit) encryption is available for compatibility with other Kerberos implementations, but not recommended as the preferred method.

If the Domain Controller you are configuring is running at the Windows Server 2008 or higher domain functional level, the newer and stronger AES 256 bit and AES 128 bit Kerberos encryption types are available, and appear in your configuration panel. The Kerberos AES encryption types are not available in Windows Server 2003 and earlier environments.

When more than one Kerberos encryption is configured for your system, the strongest form is generally preferred. So turning on Kerberos AES 256 encryption will make it the type of choice.

In general, the recommended order of suitability and strength of Kerberos encryption types for Single Sign-on for Java is:

  1. AES 256
  2. AES 128
  3. RC4
  4. DES

Setting Service Principal Name (SPN) Mappings

For a client (for example, Internet Explorer) to be able to authenticate to Single Sign-on for Java, it needs to locate the service account for the Single Sign-on for Java service, as created in Setup using Active Directory tools. A browser for example, does this by looking up a Service Principal Name (SPN) in a form like HTTP/ In order for that to succeed, you must map the SPN to the service account. This action is taken on your domain controller.

To create a mapping between the service account and an SPN

  1. Obtain the setspn utility and ensure it is available on the command PATH.

    For more information on the availability and installation of this utility, check the Microsoft site at

  2. Launch a command prompt on your domain controller. Run setspn with arguments based on the following format:

    setspn -A HTTP/ vsj_appservhost1

    setspn -A HTTP/appservhost1 vsj_appservhost1


    • is the fully-qualified hostname of the application server where Single Sign-on for Java is to be installed.
    • appservhost1 is the unqualified hostname (short name) of the server where Single Sign-on for Java is to be installed.
    • vsj_appservhost1 is the name of the user account you have previously created for Single Sign-on for Java.

Note: The “setspn -A” command does not check existing mappings before creating a new one, and may silently create duplicates. An error message in the form “Server not found in Kerberos database” may then appear if you attempt to access a duplicated mapping, as though the specified SPN doesn’t exist. You will need to eliminate duplicated entries before a mapping will work.

If running a Windows Server 2008 domain, you can substitute commands in the form “setspn -S” or “setspn -F -S” for “setspn -A”.

setspn -S” checks for duplicate SPN mappings within the current domain before adding a new mapping. “setspn -F -S” checks over the entire forest.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating