If using a browser to access a station using LDAP/Kerberos, by default you may see a login dialog similar to Figure 15 below.
Often[2], you simply click this “” button to log in as the current user, without having to enter any credentials. Alternatively, for single sign-on (SSO) access
you may go to the /login-kerb page (instead of the default /login page), whereby you are directly logged into
the station (no button press required).
If you can successfully log in using single sign-on, and want to bypass the login dialog shown above in the future (logging
directly into the station), check the “Remember my choice” check box at the bottom. This is effectively the same as going to the station’s /login-kerb page.To subsequently remove the bypass of the login dialog (from either technique above), clear your browser’s cookies. Then, upon the next access from the browser,
the station login dialog returns (Figure 15)
Note in order to log in using your current LDAP credentials, the station must reside on the same realm as you. For example, if you are logged into the FACTORY realm, you will not be able to use your credentials to access a station set up for the EXAMPLE realm.
If the station is not set up to use the same realm as your currently-logged-in user, you can enter your Kerberos/LDAP credentials directly into the credentials fields and click the “” button. These are sent over to the station in plain text, where the station then takes care of the Kerberos authentication. In this case it is strongly recommended that you use SSL, so as to protect your password. See Credentials access using browser for a related caution.
If not using the SSO login access feature, you can click the “OR (Hide)” link in the login dialog. In this case, the browser login dialog collapses to a smaller size (Figure 16).
Click the “OR (Show)” link to toggle the login dialog back full size, as shown in Figure 15. The last used (Show, Hide) login dialog setting should remain cached in your browser.
See the following topics for more details on browser access to an LDAP/Kerberos station:
Kerberos is supported on all “Hotspot JACEs”, such as newer QNX-based JACE controllers (JACE-3/6/7 series). However, all QNX-based JACE controllers currently use Java5, which does not support Kerberos tokens sent by browsers for the SSO login feature.
Therefore, to access a JACE station using Kerberos via a browser, you must enter your LDAP credentials in the Username and Password fields, and use the regular “Login” button. The station login dialog from a browser appears similar to Figure 17.
As shown in Figure 17, the SSO login features (toggled with Show or Hide) do not appear in the login dialog to a QNX-based JACE station.
See Credentials access using browser for further details and a caution.
To log into the station as an LDAP user when SSO access is not supported, or to login as a different LDAP user (or a local station user, e.g. “admin”), enter the appropriate username and password in the credentials fields and click the upper “” button.
Anytime you chose to do this (Login entering credentials and the button), we strongly recommend that you use SSL, so as to protect your password.
Text for “RealmDisplayName” is set by a property value in the station’s Kerberos authenticator, as shown in the Figure 18 example below. By default, this property is blank, and usage is optional.
-
If used, this text appears in the full browser login dialog, as shown in Figure 15, used for SSO access (no credentials required).
-
If this property is left blank, the “
RealmDisplayNameLogin” button in that dialog shows “”, e.g. “”. The “Realm” text is also used above the button, for example “Log in as current TRIDIUM.NET user”.
The default browser login dialog includes a “What do I need to do>” link above the “” button. This link produces a popup window with Kerberos-specific setup information summarized for the client PC and its
different browsers, as shown in Figure 19.
This information may be useful as a “first tier” check for an LDAP user to follow if the single sign-on (SSO) feature is not working. This same information is in this document’s LDAP / Active Directory Quick Start section, mostly in the subsection Browser-specific setup.
Remember, the SSO feature from a browser does not work if accessing a station on a QNX-based JACE, only a station running
on a Windows-based host. See Kerberos usage notes for JACE stations.
[2] If a QNX-based JACE station, the SSO features are not supported—instead you must enter credentials and use the normal Login button. See Kerberos usage notes for JACE stations for background information, and also Credentials access using browser.