Kerberos authentication is supported for the following configuration:
Clients must be running one of the following operating systems:
Windows XP with Internet Explorer 7 or 8. Some minimal testing has been done with Internet Explorer 6. To make Kerberos work with Internet Explorer 6, you need to enable integrated Windows authentication. For information on how to enable this feature, see “Authentication Uses NTLM instead of Kerberos”.
Windows Vista with the latest version of Internet Explorer.
Windows 7 with Internet Explorer 8. Be aware of the following issues:
Internet Explorer needs to have the Internet Options configured to trust the URL of the Identity Server.
The keytab file must be configured to trust more than DES encryption. If you created your keytab file for an earlier version of Access Manager where only DES was supported, you need to recreate the keytab file. For the new procedure, see Section 5.2.3, Configuring the Keytab File.
For more information on these issues, see TID 7006036.
Active Directory must be configured to contain entries for both the users and their machines. Active Directory must be running on Windows Server 2003 Enterprise SP2 or Windows Server 2008 SP2 or higher.
Active Directory and the Identity Server must be configured to use a Network Time Protocol server. If time is not synchronized, authentication fails.
If a firewall separates the Active Directory Server from the Identity Server, the firewall needs to open ports TCP 88 and UDP 88 so that the Identity Server can communicate with the KDC on the Active Directory Server.
The Identity Server can communicate with only one KDC identified by IP address in the configuration. This limitation is caused by the underlying Sun JGSS and limits the Identity Server so that it can support only one Kerberos class with one Kerberos method.