Configuring Kerberos single sign-on on the Windows client host

After you have configured Kerberos on the LSF and LSF Application Center hosts, the final step in the flow of enabling single sign-on with Kerberos is to configure Kerberos on the client host, which includes setting the browsers for Kerberos access on the client so that users can single sign on to LSF Application Center using Kerberos authentication.


Configure browsers for Kerberos single sign-on access with SPNEGO authentication from a Windows client:
  • Mozilla Firefox:
    1. Open Firefox, and from the address field, type about:config.
    2. Accept the risk, if cautioned about changing advanced configuration preferences.
    3. In the search filed, type negotiate.
    4. Click the pencil icon to edit the network.negotiate-auth.trusted-uris parameter to the LSF Application Center server host you want to authenticate against (for example, myhost).
    5. Click the check mark icon to save your settings.
  • Internet Explorer, Microsoft Edge, and Google Chrome:
    1. Open the browser and select Tools > Internet Options and then the Security tab.
    2. In the Local intranet section, click Sites > Advanced.
    3. In the Add this website to the zone field, add the LSF Application Center server host (for example, http://myhost) and click Add to add it to the Websites list. Adding the server host to this secure zone list ensures that is trusted.
    4. Click Close.
    5. In the Local intranet section, click Custom level, scroll to the User Authentication section, and enable Automatic logon with current user name and password.
    6. Click OK, and OK again, to save your settings and exit.


This completes the flow to enable single sign-on with Kerberos to allow users to log onto their Windows clients and directly access IBM Spectrum LSF Application Center without re-logging on. Note that single sign-on to IBM Spectrum LSF Application Center requires only the hostname and port for the LSF Application Center server host (for example, http://myhost:8080). The FQDN is not required.