You can configure an optional authentication class that has to be executed when either kerberos authentication fails or when kerberos authentication has to be skipped.
For information about how to skip the kerberos authentication for certain IP addresses, see
“(Optional) Using the Name/Password Form Authentication” on page 186 To configure the fall back authentication class:
1 Go to the Identity Server Cluster > Edit > Local > Methods > (Kerberos Method) >
Properties tab.
2 Add a new property /value pair with name as FALLBACK_AUTHCLASS and set the property value to be the qualified class name such as
com.novell.nidp.authentication.local.PasswordClass.
The class name value should be same as the value configured in the Java class path of the class at IDP Cluster > Edit> Local > Classes> (Authentication class).
NOTE: If your authentication class requires a custom JSP file for seeking credentials, add the property JSP and specify the name of the jsp file. When the JSP property is not specified, Identity Server will use the default login.jsp for seeking the credentials.
If you want to fall back to basic authentication, configure any one of the following properties:
Property Name: FALLBACK_AUTHCLASS
Property Value: Basic or com.novell.nidp.authentication.local.BasicClass
NOTE: The property name is case-sensitive.
For example, if you want to fall back to Radius, configure the following properties for the kerberos method:
FALLBACK_AUTHCLASS=com.novell.nidp.authentication.local.RadiusClass JSP=radiuslogin
Server=<<radius IPs with comma separate>>
SharedSecret=<<secret string>>
Port=<<port>>
ReplyTime=7000 (in milli seconds, this is optional) ResendTime=2000 (in milli seconds, this is optional) Retry=5 (this is optional)
Password=false
NOTE: The property name is case-sensitive.
Also, you can configure fall back to other mechanism based on the incoming header. In the kerberos Method, add the name/value in the property field with name as NO_NEGO_HEADER_NAME and in the value filed you can provide the header, which needs to be ignored for the kerberos authentication.
For Example, in the kerberos method properties, if you configure the name as
NO_NEGO_HEADER_NAME with value X-NovINet. Then if the client comes with header X-NovINet, the kerberos class will not be executed and it will fall back to the name password form by default or to the configured fall back mechanism.
For more information about using this feature, see Cool Solution (https://www.netiq.com/
communities/cool-solutions/hold-howto-single-sign-with-netidentity-novell-access-manager/)
5.4 Configuring the Clients
1 Add the computers of the users to the Active Directory domain.
For instructions, see your Active Directory documentation.
2 Log in to the Active Directory domain, rather than the machine.
3 (Conditional) If you are using Internet Explorer, configure the Web browser to trust the Identity Server:
3a Click Tools > Internet Options > Security > Local intranet > Sites > Advanced.
3b In the Add this website to the zone text box, enter the Base URL for the Identity Server, then click Add.
In the configuration example, this is http://amser.provo.novell.com.
3c Click Close > OK.
3d Click Tools > Internet Options > Advanced.
3e In the Security section, select Enable Integrated Windows Authentication, then click OK.
3f Restart the browser.
4 (Conditional) If you are using Firefox, configure the Web browser to trust the Identity Server:
4a In the URL field, specify about:config.
4b In the Filter field, specify network.n.
4c Double click network.negotiate-auth.trusted-uris.
This preference lists the sites that are permitted to engage in SPNEGO Authentication with the browser. Specify a comma-delimited list of trusted domains or URLs.
For this example configuration, you would add http://amser.provo.novell.com to the list.
4d If the deployed SPNEGO solution is using the advanced Kerberos feature of Credential Delegation, double-click network.negotiate-auth.delegation-uris. This preference lists the sites for which the browser can delegate user to the server. Specify a comma-delimited list of trusted domains or URLs.
For this example configuration, you would add http://amser.provo.novell.com to the list.
4e Click OK, then restart your Firefox browser.
5 In the URL field, enter the base URL of the Identity Server with port and application. For this example configuration:
http://amser.provo.novell.com:8080/nidp
The Identity Server should authenticate the user without prompting the user for authentication information. If a problem occurs, check for the following configuration errors:
Verify the default user store and contract. See Step 13.
View the Identity Server logging file and verify the configuration. See “Verifying the Kerberos Configuration” on page 186.
If you make any modifications to the configuration, either in the Administration Console or to the bcsLogin file, restart Tomcat on the Identity Server.
6 (Conditional) If you have users who are outside the firewall, they cannot use Kerberos. SPNEGO defaults first to NTLM, then to HTTPS basic authentication. Access Manager does not support NTLM, so the NTLM prompt for username and password fails. The user is then prompted for a username and password for HTTPS basic authentication, which succeeds if the credentials are valid.
To avoid these prompts, you can have your users enable the Automatic logon with current user name and password option in Internet Explorer 7.x. To access this option, click Tools
>Internet Options >Security >Custom Level, then scroll down to User Authentication.
5.5 Configuring the Access Gateway for Kerberos Authentication
If you have set up a Web server that you want to require Kerberos authentication for access, you can set up a protected resource for this Web server as you would for any other Web server, and select the name of your Kerberos contract for the authentication procedure. For instructions, see “Configuring Protected Resources” in the NetIQ Access Manager 4.0 SP1 Access Gateway Guide.
When using Kerberos for authentication, the LDAP credentials are not available. If you need LDAP credentials to provide single sign-on to some resources, see Section 4.9, “Configuring Password Retrieval,” on page 166.