On your managed, domain joined machines, AppsAnywhere should be configured to automatically log the user on after they have logged into the Windows desktop machine, using Kerberos Windows Pass-through Single Sign On (SSO).
For AppsAnywhere to support Kerberos Windows Pass-through SSO, the AppsAnywhere LDAP Service account requires SPN (Service Principal Name) records to be added.
These SPN records must be created before SSO can be configured via the ACC (Appliance Configuration Console).
The SPN record required is:
HTTP/<FQDN of Load Balanced AppsAnywhere service>
For testing the following can also be added
HTTP/<FQDN of Appliance(s)>
Replace <FQDN of Load Balanced AppsAnywhere service> with the Fully Qualified Domain Name of your AppsAnywhere load balanced service
Replace <FQDN of Appliance(s)> with the Fully Qualified Domain Name of the AppsAnywhere appliance(s)
SPN records syntax is case-sensitive
The HTTP part of the SPN must be in uppercase
The FQDN in lowercase
A forward slash '/' should be included
SPN records can be created using the Windows setspn.exe tool or via the Attribute Editor tab within the user's account properties (via the Active Directory Administrative Center or via Active Directory Users and Computers).
For further information regarding the Microsoft setspn.exe tool please see the Microsoft documentation.
These must be updated and run as a domain admin on a domain joined machine.
setspn -a HTTP/appsanywhere.uni.edu appsanywhere_ldaps setspn -a HTTP/appsanywhere01.uni.edu appsanywhere_ldaps setspn -a HTTP/appsanywhere02.uni.edu appsanywhere_ldaps
setspn -d HTTP/appsanywhere.uni.edu appsanywhere_ldaps setspn -d HTTP/appsanywhere01.uni.edu appsanywhere_ldaps setspn -d HTTP/appsanywhere02.uni.edu appsanywhere_ldaps
setspn -l appsanywhere_ldaps
Registered ServicePrincipalNames for CN=appsanywhere_ldaps,CN=Users,DC=uni,DC=edu: