Single Signon based on Microsoft Kerberos (AD)

[Tsunami]

I've think I've configured everything based on the KB article but it's not automatically authenticating.

I've verified the settings and prerequisites.  Everything seems to be setup right.  Only thing I question is that in IIS, I went to the specific website and set the directory security.  Should I have done it a higher level?

When I select AD as my namespace, Cognos pulls in my domain/username but I still have to enter my password.  What am I missing to get this far but not have Cognos pull in my password?   I didn't think an advanced property was required for kerebos...or does it?  Do I need to restart the service?

[SomeClown]

Is IIS configured to require Kerberos?  In my experience, IIS usually isn't using Kerberos but NTLM.  I've had success in getting single signon to work when I used NTLM (singleSignonOption  IdentityMapping  for the parm)

[Tsunami]

I thought that it uses Kerberos by default?  How do I check this setting?

Update:  I got it to work by using the singleSignonOption

[smiley]

Without that setting, it uses as full kerberos handshake, that has a lot of requirements to meet, includign making changes to your AD.
The singlesignonoption utilises the remote_user variable, which is a bit less safer as it can be spoofed, but still does the job of a single signon very well.
Normally no problem inside a regular network.