Hi Jens,
In general I always feel there are issues when trying to mix Kerberos authentication with other authentication types on the same WebSEAL server. Mostly this is caused by browser behaviour when Kerberos is attempted but subsequently fails (or is cancelled). I've seen browsers just keep presenting an NTLM header which causes WebSEAL to throw an error. I've heard stories of people successfully setting this up (using redirects in NTLM error page for example) but have never managed it myself in a satisfactory way.
The approach I've usually recommended is to use a different Reverse Proxy to support Kerberos that the one that supports other mechanisms. Depending on network architecture it may be possible to make this invisible to clients by using DNS to direct those with access to Domain controller to the Kerberos-enabled proxy cluster.
What user experience are you trying to achieve? Without prompting for Kerberos it's hard to find out if client supports it - and once you prompt you have the issue I mentioned at the start.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Wed July 21, 2021 08:09 AM
From: Jens Petersen
Subject: Kerberos SSO
Hi Jon,
thanks for confirming, I thought it's that way. Unfortunatelly that brings some trouble while using Login with AAC and not using WebSEAL or better if using both it makes things quite complex as you have different templates. What would you suggest is the best way to use Kerberos at WS and AAC for e-Mail login instead of UID?
THX,
Jens
------------------------------
Jens Petersen
Original Message:
Sent: Tue July 20, 2021 08:08 AM
From: Jon Harry
Subject: Kerberos SSO
H Jens,
I don't think AAC has any Kerberos authentication mechanism. I'm not sure whether it would be possible to write something in InfoMap - ASN.1 processing would not be fun.
In the past I've known customers that have implemented Kerberos Desktop SSO in their own IIS or WebSphere app servers and integrated with Verify Access using EAI. If I remember, they did this because that allowed them to support a large number of AD domains.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Tue July 20, 2021 07:28 AM
From: Jens Petersen
Subject: Kerberos SSO
Hello all,
does anybody know an option to use Kerberos with AAC not WebSEAL?
Cheers,
Jens
------------------------------
Jens Petersen
------------------------------