I’m still trying to get single sign-on working. As a part of this, I would like to understand how SPNs and keytabs must be set up to enable SSO in the Automic Web Interface.
The documentation page on SSO set-up contains very little information on this topic:
SSO configuration for web applications
In order to implement Single Sign-on for web applications (such as Automic Web Interface orAutomic Release Automation), a keytab file with HTTP as Service Principal Name is required.
In this example, winhost01 is the host on which, for example, the Automic Web Interface (Tomcat) is installed.
The SPN name must also be entered in the variableUC_KDC_SETTINGSusing the "HTTP" key. If several AWI/ARA installations are available for an Automation Engine system, then other names separated by a semi colon can be added.
These instructions indicate that winhost01 and winhost02 are the servers where the AWI is hosted, but no instructions are provided for creating the keytab file containing the HTTP keys. It is not clear whether this keytab file should be the same one containing the AE service keys, or a separate keytab. It is not clear where the keytab(s) should be placed (on which server, and in which directory). The documentation page on configuring AWI login and user authentication does not answer these questions either.
Can anyone fill in the gaps?