Configuring single sign-on

These instructions discuss how to configure single sign-on authentication for NexJ applications.

Authentication is a security process which involves identifying and verifying the credentials of users attempting to access a protected resource. NexJ Model Engine uses Windows Authentication and the SPNEGO negotiation mechanism to securely authenticate users and determine their level of authorization. If Windows Authentication is not an option, Java Kerberos can be used as an alternative.

Single sign-on is a form of access control which uses one set of credentials for multiple applications. It consolidates and streamlines authentication procedures for users and provides administrators with efficient management solutions. Once a user has been authenticated, they are able to access other enterprise applications without having to again log in until their session has expired.

Important: Kerberos authentication is an alternative to native Windows Authentication. Only one method of single sign-on authentication can be set up. It is recommended to use Windows Authentication when possible.
The following steps are required to configure single sign-on authentication:
  1. Create a Windows domain user for the AppServer service.
  2. Run the AppServer service under the domain account.
  3. Create a user domain group for NexJ applications.
  4. Install the SetSPN utility on a domain controller.
  5. Create Kerberos service principal names.
  6. Configure IIS for Kerberos authentication.
  7. Configure native Windows Authentication. (Native Windows Authentication only)
  8. Configure Kerberos for SPNEGO. (Java Kerberos authentication only)
  9. Configure logins.
  10. Enable SPNEGO authentication.
  11. Configure client browsers.