The Web server can then decrypt the credentials and authenticate the user. The following steps, illustrated in Figure , describe what happens when a user tries to access a single-sign-on-protected application:.
The application redirects the user to the single sign-on server for authentication. As part of this redirection, the following occurs:. The single sign-on server verifies the Kerberos session ticket and returns the user to the requested URL. The user logs out of this application and single sign-on applications accessed subsequently by logging out of the Windows computer.
Windows native authentication is intended for intranet Web applications. Your intranet deployment must have the following:. Oracle Internet Directory configured to use the Windows authentication plugin. Setting up Windows native authentication requires that Oracle Internet Directory, the single sign-on server, and the user's browser all be configured. Consult documentation for the Windows server to ensure that Microsoft Active Directory is set up and working.
Verify that you have synchronized user entries between the two directories; then verify that the Windows authentication plugin is working. You perform this step by trying to log in to the single sign-on server:. Configure a kerberos realm on the single sign-on middle tier; then create a service account for the single sign-on server in Microsoft Active Directory. Finally, create a keytab file for the single sign-on server, mapping the service principal to the account name.
Configure the krb5. You do this by updating the file to look like the following example:. Be sure to replace the example values given with values suitable for your installation. These values appear in boldface in the example.
Synchronize system clocks between the single sign-on middle tier and the Windows server. If you omit this step, authentication fails because of clock skew errors. Check the port number of the Kerberos server on the single sign-on computer. The service name is Kerberos. When added correctly to the services file, the entries for these port numbers look like this:.
In the hosts file, located in the same directory as the services file, check the entry for the single sign-on middle tier. The fully qualified host name of the single sign-on computer must appear after the IP address and before the short name. Here is an example of a correct entry:. Enter the name of the single sign-on host, omitting the domain name. If, for example, the host name is sso. This is the account name in Active Directory. Note the password that you assigned to the account. You will need it later.
Do not choose User must change password at next logon. Create a keytab file for the single sign-on server, mapping the account name to the service principal name. You perform both tasks by issuing the following command on the Windows server:. It works as follows:. For further information on NTLM, refer to the following resources available at the time of this document's creation :.
Log in to vote. Filter Feed Refresh this feed. Skip Feed Nothing here yet? Author Paul Bradley Inactive. Topics: Windows Servers. Show actions for this object. Drop Files. Click any image in this story to enlarge it. On the screen that appears, enter the email address of the person for whom you want to create a user account, click OK and then Finish. It also appears when you click the icon representing the current user of the PC, midway down on the left side of the Start menu when you click the Start button.
When an account name is clicked in the Start menu, it will show all of the accounts on the machine. You can click the icon representing the account of the current user of the PC, midway down on the left side of the Start menu.
That displays all the accounts on the PC. Click your account name and log into your account with your Microsoft account password. You can click your account name and log in with your Microsoft account password. The account will have its own separate OneDrive storage. Then at the bottom of the next screen, click Add a user without a Microsoft account. Now you can add a user name and a password. So an administrator will have to be nearby to type in the password in order for them to install desktop applications.
You can, of course, also log in from the lock screen, which displays all of the user accounts on the machine. One thing to keep in mind when several people use a PC with separate accounts: Even when someone is not using the PC, they still remain signed into the account unless they sign out or the PC is restarted.
So several people might be signed into accounts, even though only one person is actively using the PC. There can be only one active account at a time; an individual user will still need to re-enter the password to see their account. Look underneath each account. This is useful, but it can be problematic as well, because it can lead to lost work. When a PC is restarted or shut down, all users on it are automatically logged off. The upshot?
It only takes a moment: Click your account name at the top of the Start menu and then click Sign out. Choose Administrator and click OK.
0コメント