Enabling SPNEGO authentication

Enable single sign-on in LiveCycle
Configure SPNEGO client browser settings
Configure LiveCycle SPNEGO Authentication Handler

Enable single sign-on in LiveCycle

You can use Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) to enable single sign-on (SSO) when using Active Directory as your LDAP server in a Windows environment. When SSO is enabled, the LiveCycle user login pages are not required and do not appear. For detailed steps to enable single sign–on in LiveCycle, see Enabling single sign-on in LiveCycle.

Configure SPNEGO client browser settings

For SPNEGO-based authentication to work, the client computer must be part of the domain the user account is created in. You must also configure the client browser to allow SPNEGO-based authentication. As well, the site that requires SPNEGO- based authentication must be a trusted site. For detailed steps to configure client browser for SPNEGO, see Configuring SPNEGO client browser settings.

Configure LiveCycle SPNEGO Authentication Handler

Perform following steps to Configure Adobe LiveCycle SPNEGO Authentication Handler:

Navigate to http://[server]:[port]/lc/system/console/configMgr and login with administrator credentials.
Click Adobe LiveCycle SPNEGO Authentication Handler and specify following information:
- In the path field, specify the path of the repository for which the authentication is required.
- In the Ranking field, specify 6000.
- In the KDC Host field, specify the IP address or fully qualified domain name of the Active Directory server.
- In the Active Directory Domain field, specify the domain name of the Active Directory.
- In the Kerberos Service Principal field, specify the principal name of the Kerberos service.
- In the Service Principal Password field, specify the password of the principal name.
- Leave the Additional Properties field blank.
- In the Trusted Credential Attribute field, specify TrustedInfo.
Click Configure to activate Adobe LiveCycle SPNEGO Authentication Handler.
To verify the activation, open http://[server]:[port]/lc/system/console/slingauth and ensure that Adobe LiveCycle Kerberos/SPNEGO Authentication Handler is listed in Registered Authentication Handler as the top most entry.

If Adobe LiveCycle Kerberos/SPNEGO Authentication Handler is not listed as the top most entry, then go to Step 2 and in the Ranking field specify a value greater than 6000.
Navigate to [LiveCycle root]\crx-repository\repository\ and open the file repository.xml for editing.

Note: The location may vary for a Publish Instance as the crx-repository is manually set. For details on configuring a Publish Instance, see the the Define Author instance topic of the Configure Correspondence Management Solution section of Post-deployment tasks.

Add the trust_credentials_attribute parameter:

Existing Code
```
<LoginModule class="com.day.crx.core.CRXLoginModule"> 
    <param name="anonymousId" value="anonymous"/> 
    <param name="adminId" value="admin"/> 
</LoginModule>
```
Replacement Code
```
<LoginModule class="com.day.crx.core.CRXLoginModule"> 
    <param name="anonymousId" value="anonymous"/> 
    <param name="adminId" value="admin"/> 
    <param name="trust_credentials_attribute" value="TrustedInfo"/> 
</LoginModule>
```
Restart the application server.