Overview

I have recently had the opportunity of implement Kerberos Desktop Single Signon (SSO) for PeopleSoft. Some people may refer to this as Windows Integrated Authentication (WIA). Getting this to work was a bit of a challenge, and this blog post is the first in a series that documents how it was done in my environment.

Desktop SSO in this context means that mutual authentication occurs between the user’s browser and the PeopleSoft application. The user’s domain credentials are used to create a secure ticket by the Key Distribution Center. This ticket is then used by the client to authenticate to the server.
In other words, once the user is logged on to their domain computer, authentication to PeopleSoft is seamless without the need for additional authentication. There are some requirements for browser configuration that will be covered later.

It should also be mentioned that Oracle has removed the documentation for the Kerberos Software Development Kit in PeopleTools 8.54 and later. However it still works in PT 8.54.

References

I relied heavily on the following resources:

PeopleBooks: Implementing Kerberos as the Desktop Single Signon Solution

Remote PS Admins: PeopleSoft Desktop Single Sign-on via Kerberos

AB’s PeopleSoft Corner: PeopleSoft and Kerberos integration: Desktop Single Signon Solution

Environment

My development reference environment:

srv-ihmt-dev (Interaction Hub 9.1 PT 8.54.10 on Windows 2012 R2)
srv-fscmmt-dev (FSCM 9.2 PT 8.54.05 on Windows 2012 R2)
srv-hrmt-dev (HCM 9.2 PT 8.54.10 on Windows 2012 R2)

srv-db (SQL Server 2014 SP2 on Windows 2012 R2)

srv-dc01 (Domain controller)

Next Steps

In the next post I will cover how to setup the service account and Server Principal Names. Stay tuned.