Preparing for Kerberos
Overview
This article provides an overview of the main tasks performed when setting up Kerberos SSO for your organization. The setup tasks can be divided into three main areas:
- Configuring a service account in Active Directory
- Enable Kerberos for the browsers you plan to use
- Testing that clients actually support Kerberos SSO
Configure the Service Account
Kerberos requires that a Service Account is added to Active Directory. This account holds the secret key (derived from the account's password) which is also used by Polar SSO when decrypting and verifying tickets.
Polar SSO provides tools which help you create and configure the service account. Making changes in Active Directory requires Domain Admin permissions.
Enable Kerberos in browsers
Most browsers require some configuration changes to allow sending Kerberos tickets to a web server. In Windows environments, this configuration is usually managed centrally in Group Policy Objects. This task also requires access to Active Directory with Domain Admin permissions.
Test and troubleshoot your setup
In order to verify that both Active Directory and the browser is configured successfully, Polar SSO performs a Kerberos Login Test. This test requests a service ticket from the browser and verifies that the ticket is valid and verifiable. The test also inspects the user account and permissions to check that the user would actually be able to log in with Kerberos.