Add computers of the users to the Active Directory domain.
For instructions, see the Active Directory documentation.
Log in to the Active Directory domain, rather than the machine.
(Conditional) If you are using Internet Explorer, perform the following steps to trust Identity Server:
Click Tools > Internet Options > Security > Local intranet > Sites > Advanced.
In Add this website to the zone, specify Base URL of Identity Server, then click Add.
In the configuration example, this is http://amser.nam.example.com.
Click Close > OK.
Click Tools > Internet Options > Advanced.
In the Security section, select Enable Integrated Windows Authentication, then click OK.
Restart the browser.
(Conditional) If you are using Firefox, perform the following steps to trust Identity Server:
In URL, specify about:config.
In Filter, specify network.n.
Double click network.negotiate-auth.trusted-uris.
This preference lists the sites that are permitted to engage in SPNEGO Authentication with the browser. Specify a comma-delimited list of trusted domains or URLs.
For this example configuration, add amser.nam.example.com to the list.
If the deployed SPNEGO solution is using the advanced Kerberos feature of Credential Delegation, double-click network.negotiate-auth.delegation-uris. This preference lists the sites for which the browser can delegate user to the server. Specify a comma-delimited list of trusted domains or URLs.
For this example configuration, add amser.nam.example.com to the list.
Click OK, then restart your Firefox browser.
(Conditional) If you are using Chrome, perform the following steps to trust Identity Server:
Click Control Panel > Network and Internet > Internet Options > Security > Local intranet > Sites > Advanced.
In Add this website to the zone, specify Base URL of Identity Server, and click Add.
In the configuration example, this is http://amser.nam.example.com.
Click Close > OK.
Select Advanced.
In the Security section, select Enable Integrated Windows Authentication, and click OK.
Restart the browser.
NOTE:If you have configured Internet Explorer settings, then you do not need to perform these steps. Chrome in Windows uses the Internet Explorer settings.
In URL, specify Base URL of Identity Server with port and application. For this example configuration, specify the following:
http://amser.nam.example.com:8080/nidp
Identity Server must authenticate the user without prompting the user for authentication information. If a problem occurs, check for the following configuration errors:
Verify the default user store and contract. See Step 13.
View Identity Server logging file and verify the configuration. See Verifying the Kerberos Configuration.
(Conditional) Users who are outside the firewall cannot use Kerberos. SPNEGO by default first uses NTLM, then to HTTPS basic authentication. Access Manager does not support NTLM, so the NTLM prompt for username and password fails. The user is then prompted for a username and password for HTTPS basic authentication, which succeeds if the credentials are valid.
To avoid these prompts, you can have your users enable the Automatic logon with current user name and password option in Internet Explorer 7.x. To access this option, click Tools >Internet Options >Security >Custom Level, then scroll down to User Authentication.