Clients must be running on Windows with Internet Explorer, Chrome, or Firefox.
To make Kerberos work with Internet Explorer, enable integrated Windows authentication. For information about enabling this feature, see “Authentication Uses NTLM instead of Kerberos”.
IMPORTANT:You must perform the following tasks:
Configure Internet Options of the web browser to trust the URL of Identity Server.
Configure the keytab file to trust more than DES encryption. If you created your keytab file for an earlier version of Access Manager where only DES was supported, you need to recreate the keytab file. For information, see Configuring the Keytab File.
For more information, see TID 7006036.
Active Directory must be configured to contain entries for both users and their machines.
Active Directory and Identity Server must be configured to use a Network Time Protocol server. If time is not synchronized, authentication fails.
If a firewall separates the Active Directory Server from Identity Server, ports TCP 88 and UDP 88 are opened. So that Identity Server can communicate with Key Distribution Centre (KDC) on the Active Directory Server.