Single sign-on Issues: Windows Desktop single sign-on, Kerberos, and SPNEGO

Use the following information to troubleshoot and resolve single sign-on issues that involve Windows Desktop single sign-on, Kerberos, and SPNEGO.

Windows Desktop single sign-on, on the client end, uses the Simple and Protected GSS-API Negotiation (SPNEGO) authentication protocol over HTTP to authenticate with WebSEAL.

SPNEGO authentication works by wrapping a Kerberos authentication token, obtained by the windows Desktop browser, and sending it in an HTTP header to the target web server without the need for user action. The user signs on to their Windows Desktop, and the browser can use the sign on to send the Kerberos token by means of SPNEGO to the web server for single sign-on, assuming the Web Server can handle SPNEGO or Kerberos.

WebSEAL on AIX®, Linux, or Solaris use Kerberos to validate SPNEGO authentication data.