Kerberos SSO
Enable single sign-on (SSO) using Kerberos with Active Directory as the Key Distribution Center (KDC).
Prerequisites
Your Active Directory administrator will need to:
- Create a service account for Validio
- Register the appropriate Service Principal Names (SPNs)
- Generate and provide a keytab file for the service account
Validio Configuration
Add a new Kerberos identity provider in Validio.
Service Principal:HTTP/[your-validio-hostname]@[REALM]
- This must exactly match the SPN registered in your Active Directory
- Format:
HTTP/hostname@REALM - Example:
HTTP/[email protected]
Realm:[YOUR-DOMAIN-REALM]
- Your Active Directory domain name in uppercase
- Example:
COMPANY.COM
Configuration Example
| Field | Example Value |
|---|---|
| Service Principal | HTTP/[email protected] |
| Realm | COMPANY.COM |
Deployment Requirements
The keytab file provided by your Active Directory team must be securely deployed and accessible to your Validio instance for authentication to function properly.
Troubleshooting
Authentication Failed errors
"Authentication failed" errors:
- Verify the Service Principal and Realm exactly match your Active Directory configuration
- Ensure the keytab file is properly deployed and accessible
- Check that your Validio hostname resolves correctly and matches the registered SPN
Time synchronization
Kerberos authentication requires synchronized time between all systems (within 5 minutes).
Updated about 4 hours ago