Chat now with support
Chat with Support

Single Sign-On for Java 3.3.2 - Administration Guide

About this guide Introducing Single Sign-on for Java Preparing for Single Sign-on for Java Deploying Single Sign-on for Java
Getting started with Single Sign-on for Java Single Sign-on for Java and your web applications Setting up logging Controlling access to resources
Security Issues Maintenance and Troubleshooting Appendix: Configuration Parameters Appendix: Using the JKTools

NTLM and Internet Explorer

Internet Explorer permits four options for using the NTLM authentication mechanism:

  1. Anonymous logon: Connect to a server without attempting to provide or send logon information
  2. Automatic logon only in Intranet zone: Connect to a server by using your current session username and password, but only if the server is in your Local Intranet zone
  3. Automatic logon with current username and password: Connect to a server by using your current Windows user name and password
  4. Prompt for user name and password: Connect to a server by providing a user name and password when prompted

We do not recommend using option 3, as a malicious Web site operator can trick Internet Explorer into responding to a NTLM challenge and obtaining the password by cracking the response.

Alternatively, an attacker can send an email with a link back to the attacker's Web site, which sends an NTLM authentication challenge when the user clicks on the link.

If Internet Explorer has not been securely configured, the on-site server encrypts that challenge with the user’s password hash as the key and sends it back as the response.

The attacker may then be able to crack the user’s internal domain password.

One Identity recommends that:

  • For your Intranet zone (and perhaps Trusted sites zone, if you use that zone for business partners in an extranet scenario), you set Logon to Automatic logon only in Intranet zone.
  • For your Internet and Restricted sites zone, you should use Anonymous logon or Prompt for user name and password.
  • If you select Anonymous logon, Internet Explorer won’t respond to authentication requests.
  • If you select Prompt for user name and password, Internet Explorer won’t automatically respond to authentication requests with the user’s domain credentials; instead, Internet Explorer displays a window asking the user for credentials.

Maintenance and Troubleshooting

This section discusses the common maintenance issues relating to a Single Sign-on for Java deployment and provides solutions to some common problems which may be experienced when configuring and deploying applications using Single Sign-on for Java.


This section discusses the maintenance issues relating to a Single Sign-on for Java deployment.


Single Sign-on for Java supports logging at different levels (see Setting up logging). For maintenance purposes, logging at WARN level is recommended, along with regular inspection of the generated log file. Regular inspection should alert the administrator to potential problems within Single Sign-on for Java.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating