To enable Kerberos single sign-on for a junction, set the value of the kerberos-sso-enable entry in the [junction] stanza to yes.
kerberos-sso-enable = yes kerberos-keytab-file = webseal.keytab kerberos-principal-name = HTTP/webseal@AD_DOMAIN kerberos-service-name = HTTP/target_service.ad_domain.com@AD_DOMAIN.COM
To extend Kerberos SSO support to users on domains other than the WebSEAL service account domain, use the kerberos-user-identity stanza entry to enable and define a custom user principal name (UPN).