Configuring SSO for WCC and EEM is simple. However, our documents are not clear on what is required. With this document, we outline the requirements and steps to accomplish this.
To configure WCC with SSO
1. Ensure EEM is configured with the AD that has the domain users
Configuring EEM with NTLM
Do the following before you configure NTLM authentication:
- Verify that the CA EEM Server is installed on a Windows Server and is connected to an Active Directory.
- Verify that the users launch the application from a Windows computer.
- Verify that the CA EEM Server and the computer where the users are launching the application are part of the same network domain. If the computers are part of nested domains, ensure that the CA EEM Server and the computer where the application is launched belong to domains that have a trust relation established.
- Verify that the domain users are added to the User Groups on the computer where the application is being launched.
2. Enable SSO (NTLM) from WCC Configuration tab
To enable SSO (NTLM) set Single Sign-On to NTLM with the Configuration Preferences under the Configuration tab and click on Save.
The Single Sign-On category contains the following fields:
- Single Sign-On
Indicates whether single sign-on using NTLM authentication protocol or integration with CA Siteminder is enabled. CA WCC uses NTLM protocol or CA Siteminder to authenticate your session when single sign-on is active. To disable single sign-on, select None. If you disable single sign-on, CA WCC requires you to authenticate your session by entering login credentials.
Default: Not selected
- Force Kerberos Compatibility
Indicates whether to force NTLM authentication when the browser is Kerberos capable. When this check box is selected and single sign-on is active, CA WCC overrides Kerberos protocol and uses NTLM protocol to authenticate your session. If you disable this option, CA WCC requires you to authenticate sessions that you open on Kerberos compatible browsers by entering your login credentials.
Now when you log out of WCC and go back to the Login Screen, the link option, “Log in automatically using Windows credentials” will be available. WCC with SSO (NTLM) is now enabled.
Configuring WCC with NTLM / SSO
You can use NTLM protocol to configure single sign-on capability. CA WCC does not support Kerberos authentication protocol but compatibility with Kerberos can be enabled by selecting the Force Kerberos compatibility checkbox. If you do not enable NTLM, CA WCC requires you to authenticate your session by entering login credentials.
- If you change your domain password while NTLM authentication is enabled, clear the browser cache.
- For more information about authentication protocol configuration settings, see the Configuration Help.