Environment
Novell Access Manager 3.x Linux Novell Identity Server
Novell Access Manager 4.0
Novell Access Manager 4.1
Situation
Novell Identity (IDP) server setup to single sign on (SSO) users already authenticated to Active Directory domain using Kerberos class. The documentation at https://www.novell.com/documentation/novellaccessmanager31/adminguide/index.html?page=/documentation/novellaccessmanager31/adminguide/data/b2651cb.html was followed and users could not SSO to the IDP server.
Using a domain member, users would get a basic authentication popup prompt; Using a non-domain member workstation, would result in an NTLM error since IE is just defaulting to NTLM if Kerberos is not available.
Using a domain member, users would get a basic authentication popup prompt; Using a non-domain member workstation, would result in an NTLM error since IE is just defaulting to NTLM if Kerberos is not available.
Resolution
When setting up the hostname as defined in section 7.10.2 ("Configuring Active Directory") of the Identity Server Administration docs, make sure that the actual Linux host name ($HOSTNAME) of the Identity Server is used, and NOT the host portion of the Identity Provider base URL if the two are not the same.
As an example, the DNS name of the server is 'slesdev1.novell.com' and the IdP base URL is ids1.novell.com. Following the section of the docs referenced above, a user was created named HTTP/ids1.novell.com. This resulted in SSO with Kerberos not working - the ID must be HTTP/slesdev1.novell.com, the ACTUAL DNS name of the box.
As an example, the DNS name of the server is 'slesdev1.novell.com' and the IdP base URL is ids1.novell.com. Following the section of the docs referenced above, a user was created named HTTP/ids1.novell.com. This resulted in SSO with Kerberos not working - the ID must be HTTP/slesdev1.novell.com, the ACTUAL DNS name of the box.