5.4 Configuring the Clients

  1. Add the computers of the users to the Active Directory domain.

    For instructions, see your Active Directory documentation.

  2. Log in to the Active Directory domain, rather than the machine.

  3. (Conditional) If you are using Internet Explorer, configure the Web browser to trust the Identity Server:

    1. Click Tools > Internet Options > Security > Local intranet > Sites > Advanced.

    2. In the Add this website to the zone text box, enter the Base URL for the Identity Server, then click Add.

      In the configuration example, this is http://amser.provo.novell.com.

    3. Click Close > OK.

    4. Click Tools > Internet Options > Advanced.

    5. In the Security section, select Enable Integrated Windows Authentication, then click OK.

    6. Restart the browser.

  4. (Conditional) If you are using Firefox, configure the Web browser to trust the Identity Server:

    1. In the URL field, specify about:config.

    2. In the Filter field, specify network.n.

    3. Double click network.negotiate-auth.trusted-uris.

      This preference lists the sites that are permitted to engage in SPNEGO Authentication with the browser. Specify a comma-delimited list of trusted domains or URLs.

      For this example configuration, you would add http://amser.provo.novell.com to the list.

    4. If the deployed SPNEGO solution is using the advanced Kerberos feature of Credential Delegation, double-click network.negotiate-auth.delegation-uris. This preference lists the sites for which the browser can delegate user authorization to the server. Specify a comma-delimited list of trusted domains or URLs.

      For this example configuration, you would add http://amser.provo.novell.com to the list.

    5. Click OK, then restart your Firefox browser.

  5. In the URL field, enter the base URL of the Identity Server with port and application. For this example configuration:

    http://amser.provo.novell.com:8080/nidp

    The Identity Server should authenticate the user without prompting the user for authentication information. If a problem occurs, check for the following configuration errors:

    • Verify the default user store and contract. See Step 13.

    • View the Identity Server logging file and verify the configuration. See Verifying the Kerberos Configuration.

    • If you make any modifications to the configuration, either in the Administration Console or to the bcsLogin file, restart Tomcat on the Identity Server.

  6. (Conditional) If you have users who are outside the firewall, they cannot use Kerberos. SPNEGO defaults first to NTLM, then to HTTPS basic authentication. Access Manager does not support NTLM, so the NTLM prompt for username and password fails. The user is then prompted for a username and password for HTTPS basic authentication, which succeeds if the credentials are valid.

    To avoid these prompts, you can have your users enable the Automatic logon with current user name and password option in Internet Explorer 7.x. To access this option, click Tools > Internet Options > Security > Custom Level, then scroll down to User Authentication.