124 Novell Access Manager 3.1 SP1 Identity Server Guidenovdocx (en) 19 February 2010This preference lists the sites that are permitted to engage in SPNEGO Authenticationwith the browser. Specify a comma-delimited list of trusted domains or URLs.For this example configuration, you would add http://amser.provo.novell.com tothe list.If the deployed SPNEGO solution is using the advanced Kerberos feature of CredentialDelegation, double-click network.negotiate-auth.delegation-uris. Thispreference lists the sites for which the browser can delegate user authorization to theserver. Specify a comma-delimited list of trusted domains or URLs.For this example configuration, you would add http://amser.provo.novell.com tothe list.4 Click OK. The configuration appears as updated.Restart your Firefox browser to activate this configuration.5 In the URL field, enter the base URL of the Identity Server with port and application. For thisexample configuration:http://amser.provo.novell.com:8080/nidpThe Identity Server should authenticate the user without prompting the user for authenticationinformation. If a problem occurs, check for the following configuration errors: Verify the default user store and contract. See Step 13. View the catalina.out file and verify the configuration. See “Verifying the KerberosConfiguration” on page 123. If you make any modifications to the configuration, either in the Administration Consoleor to the bcsLogin file, restart Tomcat on the Identity Server.3.4.5 Configuring the Access Gateway for KerberosAuthenticationIf you have set up a Web server that you want to require Kerberos authentication for access, you canset up a protected resource for this Web server as you would for any other Web server, and select thename of your Kerberos contract for the contract. For instructions, see See “Configuring ProtectedResources” in the Novell Access Manager 3.1 SP1 Access Gateway Guide.When using Kerberos for authentication, the LDAP credentials are not available. If you need LDAPcredentials to provide single sign-on to some resources, see Access Management AuthenticationClass Extension to Retrieve Password for Single Sign-on (http://www.novell.com/communities/node/4556) for a possible solution.3.4.6 Upgrading from Access Manager 3.0 SP4 or 3.1If you are upgrading from 3.0 SP4 to 3.1 SP1, see “Upgrading the SP4 Identity Servers”in the NovellAccess Manager 3.1 SP1 Installation Guide for information on how to modify your Kerberosconfiguration for 3.1 SP1.If you are upgrading from 3.1 to 3.1 SP1, see “Upgrading from Access Manager 3.1 to 3.1 SP1”inthe Novell Access Manager 3.1 SP1 Installation Guide for information on how to modify yourKerberos configuration for 3.1 SP1.