Overview

On your managed, domain joined machines, AppsAnywhere should be configured to automatically log the user on after they have logged into the Windows desktop machine, using Kerberos Windows Pass-through Single Sign On (SSO).

For AppsAnywhere to support Kerberos Windows Pass-through SSO, the AppsAnywhere LDAP Service account requires SPN (Service Principal Name) records to be added.

These SPN records must be created before SSO can be configured via the ACC (Appliance Configuration Console).

Configuration

The SPN record required is:

  1. HTTP/<FQDN of Load Balanced AppsAnywhere service>

e.g.

HTTP/appsanywhere.uni.edu
CODE

Optional

For testing the following can also be added

  1. HTTP/<FQDN of Appliance(s)>

e.g.

HTTP/appsanywhere01.uni.edu
HTTP/appsanywhere02.uni.edu
CODE

Note

  • Replace <FQDN of Load Balanced AppsAnywhere service> with the Fully Qualified Domain Name of your AppsAnywhere load balanced service

  • Replace <FQDN of Appliance(s)> with the Fully Qualified Domain Name of the AppsAnywhere appliance(s)

  • SPN records syntax is case-sensitive

  • The HTTP part of the SPN must be in uppercase

  • The FQDN in lowercase

  • A forward slash '/' should be included

SPN records can be created using the Windows setspn.exe tool or via the Attribute Editor tab within the user's account properties (via the Active Directory Administrative Center or via Active Directory Users and Computers).

For further information regarding the Microsoft setspn.exe tool please see the Microsoft documentation.

Example Commands

These must be updated and run as a domain admin on a domain joined machine.

Adding SPNs
setspn -a HTTP/appsanywhere.uni.edu appsanywhere_ldaps
setspn -a HTTP/appsanywhere01.uni.edu appsanywhere_ldaps
setspn -a HTTP/appsanywhere02.uni.edu appsanywhere_ldaps
CODE
Removing SPNS
setspn -d HTTP/appsanywhere.uni.edu appsanywhere_ldaps
setspn -d HTTP/appsanywhere01.uni.edu appsanywhere_ldaps
setspn -d HTTP/appsanywhere02.uni.edu appsanywhere_ldaps
CODE

Verifying Records

Listing SPNs
setspn -l appsanywhere_ldaps
CODE
Example output

Registered ServicePrincipalNames for CN=appsanywhere_ldaps,CN=Users,DC=uni,DC=edu:
HTTP/appsanywhere.uni.edu
HTTP/appsanywhere-srv01.uni.edu
HTTP/appsanywhere-srv02.uni.edu