Kerberos Autologin

Autologin System Requirements

Client PC

  • The Client PC has to be a member of the Kerberos realm. Using Microsoft Active Directory, the name of the realm usually corresponds to the name of the Active Directory domain in capital letters. Example: if the company’s Active Directory domain name is “abc.com”, the name of the corresponding Kerberos realm is “ABC.COM”.
  • Auto-login will only be possible for users who log into the client PC using an Active Directory domain account. Local user accounts are not suitable for the autologin-feature as user authentication is handled by Kerberos only.

Internet Browser

  • The internet browser has to be configured to use SPNego authentication for trusted webpages.

Network Configuration

  • Time has to be synchronized within the Active Directory Domain (clients and servers) as well as between the Stages server and the Active Directory domain because every Kerberos ticket has limited validity.
  • It is also of critical importance that your name service is set up correctly. For each device the name service resolution has to work both ways, forward and backwards. Forward resolution resolves a full-qualified domain name to an IP address and backwards resolution resolves the IP address back to the full-qualified domain name. Resolving a hostname to an IP address and the address back to the hostname again, has to result in the same full qualified hostname.

Stages Server

  • The stages server doesn't have to be a member of the Active Directory domain. It can also be installed on a UNIX operating system.