CHAPTER 14
Configuring Single Sign-On
Defining Basic, NTLM, and Kerberos Resources
Copyright © 2010, Juniper Networks, Inc.
You can set up basic, NT LAN Manager (NTLM), and Kerberos credentials in the Devices
> Users > Resource Policies > Web > SSO > General tab. Follow these guidelines when
managing single sign-on (SSO):
The Secure Access device manages Kerberos if challenged with the negotiate header,
NTLM if challenged with the NTLM header; and basic authentication if challenged with
the basic resource.
If the device receives multiple challenges, the order of precedence is as follows:
Kerberos
NTLM
Basic
The device first sets the constrained delegation if the service is configured in a service
list.
Policy configurations override any settings in the SSO > General tab.
Disabling all the options available in the SSO > General screen prevents SSO. However,
the device continues to an intermediate phase and displays an intermediation page
to the enduser.
You can explicitly turn off the basic authentication intermediation in a policy. For
Kerberos and NTLM, the device will always be intermediate.
Depending on the SSO used, you can view the different fields in the intermediation
page and configure the following options:
217