Owner's Manual
298 Using the CMC Directory Service
Configuring Single Sign-On
Microsoft Windows 2000, Windows XP, Windows Server 2003,
Windows Vista, Windows 7, and Windows Server 2008 can use Kerberos, a
network authentication protocol, as an authentication method allowing users
who have signed in to the domain an automatic or single sign-on to
subsequent applications such as Exchange.
Starting with CMC version 2.10, CMC can use Kerberos to support two
additional types of login mechanisms—single sign-on and Smart Card login.
For single sign-on login, CMC uses the client system’s credentials, which are
cached by the operating system after you log in using a valid Active Directory
account.
NOTE: Selecting a login method does not set policy attributes with respect to other
login interfaces, for example, SSH. You must set other policy attributes for other
login interfaces as well. If you want to disable all other login interfaces, navigate to
the Services page and disable all (or some) login interfaces.
System Requirements
To use the Kerberos authentication, your network must include:
•DNS server
• Microsoft Active Directory Server
NOTE: If you are using Active Directory on Windows 2003, ensure that you
have the latest service packs and patched installed on the client system. If
you are using Active Directory on Windows 2008, ensure that you have
installed SP1 along with the following hot fixes:
Windows6.0-KB951191-x86.msu for the KTPASS utility. Without this patch the
utility generates bad keytab files.
Windows6.0-KB957072-x86.msu for using GSS_API and SSL transactions
during an LDAP bind.
• Kerberos Key Distribution Center (packaged with the Active Directory
Server software).
• DHCP server (recommended).
• The DNS server reverse zone must have an entry for the Active Directory
server and CMC.