How to configure Desktop Integration Siebel Agent (DISA) for Microsoft Active Directory with Kerberos Authentication

(Doc ID 2380365.1)

Last updated on APRIL 03, 2018

Applies to:

Siebel CRM - Version 15.9 [IP2015] and later
Information in this document applies to any platform.

Goal

The goal of this document is to provide more information on how to configure Desktop Integration Siebel Agent (DISA) for Microsoft Active Directory with Kerberos Authentication. If the customer have questions related to Kerberos Authentication or needs help on how to configure or problems directly with Kerberos Authentication. Please contact your Microsoft Active Directory administrator. 

Some users report that Desktop Integration Siebel Agent (DISA) is not working properly after import CA certificate into the DISA Java JRE Keystore. The following error message below was capture in DISA logs:

 

 After further investigation, we were able to identify that customer was using Single Sign On(SSO) on Microsoft Active Directory with Kerberos Authentication.

Description:

Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

DISA supports Kerberos authentication using the Java Generic Security Services (GSS) API with SPNEGO, SPNEGO is the Simple and Protected GSS-API Negotiation Mechanism, standardized at IETF in RFC 4178. It is a pseudo-security mechanism used to negotiate an underlying security mechanism. It provides the flexibility for client and server to securely negotiate a common GSS security mechanism.

 

Fallback Sequence:

When a request from DISA requires Kerberos authentication, DISA will first try to use the local cached TGT (Ticket Granting Ticket) session key, if local TGT cache is no available, DISA will prompt for username and password using a dialog.

For local TGT cache, DISA will first search the Windows LSA (Local Security Authority) for TGT, if no TGT found in LSA, it will looking for local credential cache file.

 

 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms