Enable SSO using SPNEGO

You can use Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) to enable single sign-on (SSO) when using Active Directory as your LDAP server in a Windows environment. When SSO is enabled, the LiveCycle user login pages are not required and do not appear.

You can also enable SSO by using HTTP headers. (See Enable SSO using HTTP headers.)

  1. Decide which domain to use to enable SSO. The LiveCycle server and the users must be part of the same Windows domain or trusted domain.

  2. In Active Directory, create a user who represents the LiveCycle server. (See Create a user account.) If you are configuring more than one domain to use SPNEGO, ensure that the passwords for each of these users is different. If the passwords are not different, SPNEGO SSO does not work.

  3. Map the service principal name. (See Map a Service Principal Name (SPN).)

  4. Configure the domain controller. (See Prevent Kerberos integrity-check failures.)

  5. Add or edit an enterprise domain as described in Adding domains or Editing and converting existing domains. When you create or edit the enterprise domain, perform these tasks:

    • Add or edit a directory that contains your Active Directory information.

    • Add LDAP as an authentication provider.

    • Add Kerberos as an authentication provider. Provide the following information on the New or Edit Authentication page for Kerberos:

      • Authentication Provider: Kerberos

      • DNS IP: The DNS IP address of the server where LiveCycle is running. You can determine this IP address by running ipconfig/all on the command line.

      • KDC Host: Fully qualified host name or IP address of the Active Directory server used for authentication

      • Service User: The service principal name (SPN) passed to the KtPass tool. In the example used earlier, the service user is HTTP/lcserver.um.lc.com.

      • Service Realm: Domain name for Active Directory. In the example used earlier, the Domain name is UM.LC.COM.

      • Service Password: Service user’s password. In the example used earlier, the service password is password.

      • Enable SPNEGO: Enables the use of SPNEGO for single sign-on (SSO). Select this option.

  6. Configure SPNEGO client browser settings. (See Configuring SPNEGO client browser settings.)

Create a user account

  1. In SPNEGO, register a service as a user in Active Directory on the domain controller to represent LiveCycle. On the domain controller, go to Start Menu > Administrative Tools > Active Directory Users And Computers. If Administrative Tools is not in the Start menu, use the Control Panel.

  2. Click the Users folder to display a list of users.

  3. Right-click the user folder and select New > User.

  4. Type the First Name/Last Name and User Logon Name and then click Next. For example, set the following values:

    • First Name: umspnego

    • User Logon Name: spnegodemo

  5. Type a password. For example, set it to password. Ensure that Password Never Expires is selected and no other options are selected.

  6. Click Next and then click Finish.

Map a Service Principal Name (SPN)

  1. Obtain the KtPass utility. This utility is used to map an SPN to a REALM. You can obtain the KtPass utility as part of Windows Server Tool pack or Resource Kit. (See Windows Server 2003 Service Pack 1 Support Tools.)

  2. In a command prompt, run ktpass using the following arguments:

    ktpass -princ HTTP/host@REALM -mapuser user

    For example, type the following text:

    ktpass -princ HTTP/lcserver.um.lc.com@UM.LC.COM -mapuser spnegodemo

    The values that you must provide are described as follows:

    host: Fully qualified name of the LiveCycle server or any unique URL. In this example, it is set to lcserver.um.lc.com.

    REALM: The Active Directory realm for the domain controller. In this example, it is set to UM.LC.COM. Ensure that you enter the realm in uppercase characters. To determine the realm for Windows 2003, complete the following steps:

    • Right-click My Computer and select Properties

    • Click the Computer Name tab. The Domain Name value is the realm name.

    user: The login name of the user account you created in the previous task. In this example, it is set to spnegodemo.

If you encounter this error:

DsCrackNames returned 0x2 in the name entry for spnegodemo.  
ktpass:failed getting target domain for specified user.

try specifying the user as spnegodemo@um.lc.com: 

ktpass -princ HTTP/lcserver.um.lc.com@UM.LC.COM -mapuser spnegodemo

Prevent Kerberos integrity-check failures

  1. On the domain controller, go to Start Menu > Administrative Tools > Active Directory Users And Computers. If Administrative Tools is not in the Start menu, use the Control Panel.

  2. Click the Users folder to display a list of users.

  3. Right-click the user account that you created in a previous task. In this example, the user account is spnegodemo.

  4. Click Reset Password.

  5. Type and confirm the same password that you typed previously. In this example, it is set to password.

  6. Deselect Change Password At Next Logon and then click OK.

Configuring SPNEGO client browser settings

For SPNEGO-based authentication to work, the client computer must be part of the domain the user account is created in. You must also configure the client browser to allow SPNEGO-based authentication. As well, the site that requires SPNEGO- based authentication must be a trusted site.

If the server is accessed by using the computer name, such as http://lcserver:8080, no settings are required for Internet Explorer. If you enter a URL that does not contain any dots ("."), Internet Explorer treats the site as a local intranet site. If you are using a fully qualified name for the site, the site must be added as a trusted site.

Configure Internet Explorer 6.x

  1. Go to Tools > Internet Options and click the Security tab.

  2. Click the Local Intranet icon and then click Sites.

  3. Click Advanced and, in the Add This Web Site To The Zone box, type the URL of your LiveCycle server. For example, type http://lcserver.um.lc.com

  4. Click OK until all dialog boxes are closed.

  5. Test the configuration by accessing the URL of your LiveCycle server. For example, in the browser URL box, type http://lcserver.um.lc.com:8080/um/login?um_no_redirect=true

Configure Mozilla Firefox

  1. In the browser URL box, type about:config

    The about:config - Mozilla Firefox dialog box appears.

  2. In the Filter box, type negotiate

  3. In the list shown, click network.negotiate-auth.trusted-uri and type one of the following commands as appropriate for your environment:

    .um.lc.com - Configures Firefox to allow SPNEGO for any URL that ends with um.lc.com. Ensure that you include the dot (".") at the beginning.

    lcserver.um.lc.com - Configures Firefox to allow SPNEGO for your specific server only. Do not start this value with a dot (".").

  4. Test the configuration by accessing the application. The welcome page for the target application should appear.

// Ethnio survey code removed