Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

When Kerberos is set up in the Kantega Single sign-on add-on it will upon first visit from a browser send a request to the browser if a Kerberos ticket is availabe. Then, if the browser is Kerberos enabled and runs in a Kerberos enabled environment (this is often, but not always a Windows environment), the browser will request it's operating system for a Kerberos ticket for the given web site. The web site is during this request identified against Active Directory or other KDC (Key Distributuion Center) using the site's cannoncial name (the DNS A record). The KDC names this identity as service principal name.

Image Added

The KDC will then in cooperation with the operating system generate a valid Kerberos ticket for the web site and send this back to the browser. The browser will send the ticket back to the web site and the Kantega Single sign-on add-on will pick up the ticket and verity it's validity against the Keytab file. The Keytab file was earlier extracted from the KDC and installed in the Kantega Single sign-on add-on and is to be considered a certificate to approve each Kerberos ticket signed by the KDC.