Using Kerberos SSO

Kerberos SSO Support Overview

Kerberos single sign-on (SSO) is a method of access control that allows a user to log in once to the client desktop without being prompted again for credentials.

The Kerberos SSO feature uses Kerberos authentication to automatically sign in users with the same credentials they used to access their Windows desktops. After you configure Kerberos SSO, the sign-in dialog box does not appear to users.

Requirements and Limitations

The following requirements and limitations apply to the Kerberos SSO implementation:

  • The SSO feature requires a Windows NT Primary Domain Controller (PDC) or Active Directory for user authentication.
  • The Kerberos SSO feature is not supported on Windows NT Server 4.0 or earlier
  • The clocks on Ivanti Policy Secure and the Windows Active Directory authentication server must be synchronized to within 2 minutes of each other.
  • The Active Directory controller must be deployed in front of Ivanti Policy Secure.
  • The Windows endpoint computers must be joined to the same domain that Ivanti Policy Secure uses for authentication. Alternatively, make sure the Windows endpoint computers are joined to a domain that has a trust relationship with the domain that Ivanti Policy Secure uses for authentication.
  • Users must sign into their endpoint computers in the domain of the Windows Active Directory authentication server or in a trusted domain.
  • The realm Enable SSO option is visible only if the Windows Active Directory authentication server is used for authenticating users of the selected realm.

Enabling Kerberos SSO

To enable Kerberos SSO:

  1. Select Authentication > Auth. Servers.
  2. Select New Active Directory / Windows NT and click New.
  3. Complete the configuration. Enable the Kerberos authentication protocol option.
  4. Configure the realm:
    • Select Administrators > Admin Realms or Users > User Realms. Specify the realm that must use the Active Directory server to authenticate and authorize administrators and users.
    • Select Administrators > Admin Realms > Select Realm > Authentication Policy > SSO to ensure that the Enable SSO option is enabled (the default).