---
title: WindowsDesktopSsoModule
description: Resource path:
component: pingam
version: 8.1
page_id: pingam:entity-reference:sec-amster-entity-windowsdesktopssomodule
canonical_url: https://docs.pingidentity.com/pingam/8.1/entity-reference/sec-amster-entity-windowsdesktopssomodule.html
section_ids:
sec-amster-entity-windowsdesktopssomodule-realm-ops: Realm Operations
sec-amster-entity-windowsdesktopssomodule-realm-ops-create: create
sec-amster-entity-windowsdesktopssomodule-realm-ops-delete: delete
sec-amster-entity-windowsdesktopssomodule-realm-ops-getalltypes: getAllTypes
sec-amster-entity-windowsdesktopssomodule-realm-ops-getcreatabletypes: getCreatableTypes
sec-amster-entity-windowsdesktopssomodule-realm-ops-nextdescendents: nextdescendents
sec-amster-entity-windowsdesktopssomodule-realm-ops-query: query
sec-amster-entity-windowsdesktopssomodule-realm-ops-read: read
sec-amster-entity-windowsdesktopssomodule-realm-ops-update: update
sec-amster-entity-windowsdesktopssomodule-global-ops: Global Operations
sec-amster-entity-windowsdesktopssomodule-global-ops-getalltypes: getAllTypes
sec-amster-entity-windowsdesktopssomodule-global-ops-getcreatabletypes: getCreatableTypes
sec-amster-entity-windowsdesktopssomodule-global-ops-nextdescendents: nextdescendents
sec-amster-entity-windowsdesktopssomodule-global-ops-read: read
sec-amster-entity-windowsdesktopssomodule-global-ops-update: update
---
# WindowsDesktopSsoModule
## Realm Operations
Resource path:
```
/realm-config/authentication/modules/windowsdesktopsso
```
Resource version: `0.0`
### create
**Usage**
```
am> create WindowsDesktopSsoModule --realm Realm --id id --body body
```
**Parameters**
* *\--id*
The unique identifier for the resource.
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.
Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer",
"exampleValue" : ""
},
"returnPrincipalWithDomainName" : {
"title" : "Return Principal with Domain Name",
"description" : "Returns the fully qualified name of the authenticated user rather than just the username.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean",
"exampleValue" : ""
},
"kerberosServerName" : {
"title" : "Kerberos Server Name",
"description" : "The hostname/IP address of the Kerberos (Active Directory) server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"principalName" : {
"title" : "Service Principal",
"description" : "The name of the Kerberos principal used during authentication
This principal must match the name used in the keytab file created from the Active Directory server.
The format of the field is as follows:
HTTP/openam.forgerock.com@AD_DOMAIN.COM",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"keytabFileName" : {
"title" : "Keytab File Name",
"description" : "The path of the AD keytab file
This is the absolute pathname of the AD keytab file. The keytab file is generated by the Active Directory server.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"lookupUserInRealm" : {
"title" : "Search for the user in the realm",
"description" : "Validate that the user has a matched user profile configured in the data store.
If this option is enabled, the module validates whether the account corresponds to a user profile in the Data Store for the realm. The attributes to perform the search are configured under Access Control > Realm Name > Authentication > All Core settings > Alias Search Attribute Name.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean",
"exampleValue" : ""
},
"trustedKerberosRealms" : {
"title" : "Trusted Kerberos realms",
"description" : "List of trusted Kerberos realms for User Kerberos tickets.
If realms are configured, then Kerberos tickets are only accepted if the realm part of the UserPrincipalName of the Users Kerberos ticket matches a realm from the list.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : ""
},
"kerberosRealm" : {
"title" : "Kerberos Realm",
"description" : "The name of the Kerberos (Active Directory) realm used for authentication",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"kerberosServiceIsinitiator" : {
"title" : "isInitiator",
"description" : "Configuration used for JDK Kerbrose LoginModule. True, if initiator. False, if acceptor only. Default is true",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean",
"exampleValue" : ""
}
}
}
```
### delete
**Usage**
```
am> delete WindowsDesktopSsoModule --realm Realm --id id
```
**Parameters**
* *\--id*
The unique identifier for the resource.
### getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
**Usage**
```
am> action WindowsDesktopSsoModule --realm Realm --actionName getAllTypes
```
### getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
**Usage**
```
am> action WindowsDesktopSsoModule --realm Realm --actionName getCreatableTypes
```
### nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
**Usage**
```
am> action WindowsDesktopSsoModule --realm Realm --actionName nextdescendents
```
### query
Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.
**Usage**
```
am> query WindowsDesktopSsoModule --realm Realm --filter filter
```
**Parameters**
* *\--filter*
A CREST formatted query filter, where "true" will query all.
### read
**Usage**
```
am> read WindowsDesktopSsoModule --realm Realm --id id
```
**Parameters**
* *\--id*
The unique identifier for the resource.
### update
**Usage**
```
am> update WindowsDesktopSsoModule --realm Realm --id id --body body
```
**Parameters**
* *\--id*
The unique identifier for the resource.
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"properties" : {
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.
Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer",
"exampleValue" : ""
},
"returnPrincipalWithDomainName" : {
"title" : "Return Principal with Domain Name",
"description" : "Returns the fully qualified name of the authenticated user rather than just the username.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean",
"exampleValue" : ""
},
"kerberosServerName" : {
"title" : "Kerberos Server Name",
"description" : "The hostname/IP address of the Kerberos (Active Directory) server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"principalName" : {
"title" : "Service Principal",
"description" : "The name of the Kerberos principal used during authentication
This principal must match the name used in the keytab file created from the Active Directory server.
The format of the field is as follows:
HTTP/openam.forgerock.com@AD_DOMAIN.COM",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"keytabFileName" : {
"title" : "Keytab File Name",
"description" : "The path of the AD keytab file
This is the absolute pathname of the AD keytab file. The keytab file is generated by the Active Directory server.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"lookupUserInRealm" : {
"title" : "Search for the user in the realm",
"description" : "Validate that the user has a matched user profile configured in the data store.
If this option is enabled, the module validates whether the account corresponds to a user profile in the Data Store for the realm. The attributes to perform the search are configured under Access Control > Realm Name > Authentication > All Core settings > Alias Search Attribute Name.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean",
"exampleValue" : ""
},
"trustedKerberosRealms" : {
"title" : "Trusted Kerberos realms",
"description" : "List of trusted Kerberos realms for User Kerberos tickets.
If realms are configured, then Kerberos tickets are only accepted if the realm part of the UserPrincipalName of the Users Kerberos ticket matches a realm from the list.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : ""
},
"kerberosRealm" : {
"title" : "Kerberos Realm",
"description" : "The name of the Kerberos (Active Directory) realm used for authentication",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"kerberosServiceIsinitiator" : {
"title" : "isInitiator",
"description" : "Configuration used for JDK Kerbrose LoginModule. True, if initiator. False, if acceptor only. Default is true",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean",
"exampleValue" : ""
}
}
}
```
## Global Operations
Resource path:
```
/global-config/authentication/modules/windowsdesktopsso
```
Resource version: `1.0`
### getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
**Usage**
```
am> action WindowsDesktopSsoModule --global --actionName getAllTypes
```
### getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
**Usage**
```
am> action WindowsDesktopSsoModule --global --actionName getCreatableTypes
```
### nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
**Usage**
```
am> action WindowsDesktopSsoModule --global --actionName nextdescendents
```
### read
**Usage**
```
am> read WindowsDesktopSsoModule --global
```
### update
**Usage**
```
am> update WindowsDesktopSsoModule --global --body body
```
**Parameters**
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"properties" : {
"defaults" : {
"properties" : {
"keytabFileName" : {
"title" : "Keytab File Name",
"description" : "The path of the AD keytab file
This is the absolute pathname of the AD keytab file. The keytab file is generated by the Active Directory server.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"trustedKerberosRealms" : {
"title" : "Trusted Kerberos realms",
"description" : "List of trusted Kerberos realms for User Kerberos tickets.
If realms are configured, then Kerberos tickets are only accepted if the realm part of the UserPrincipalName of the Users Kerberos ticket matches a realm from the list.",
"propertyOrder" : 700,
"required" : true,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : ""
},
"principalName" : {
"title" : "Service Principal",
"description" : "The name of the Kerberos principal used during authentication
This principal must match the name used in the keytab file created from the Active Directory server.
The format of the field is as follows:
HTTP/openam.forgerock.com@AD_DOMAIN.COM",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"returnPrincipalWithDomainName" : {
"title" : "Return Principal with Domain Name",
"description" : "Returns the fully qualified name of the authenticated user rather than just the username.",
"propertyOrder" : 500,
"required" : true,
"type" : "boolean",
"exampleValue" : ""
},
"kerberosServerName" : {
"title" : "Kerberos Server Name",
"description" : "The hostname/IP address of the Kerberos (Active Directory) server.",
"propertyOrder" : 400,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"kerberosRealm" : {
"title" : "Kerberos Realm",
"description" : "The name of the Kerberos (Active Directory) realm used for authentication",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"lookupUserInRealm" : {
"title" : "Search for the user in the realm",
"description" : "Validate that the user has a matched user profile configured in the data store.
If this option is enabled, the module validates whether the account corresponds to a user profile in the Data Store for the realm. The attributes to perform the search are configured under Access Control > Realm Name > Authentication > All Core settings > Alias Search Attribute Name.",
"propertyOrder" : 800,
"required" : true,
"type" : "boolean",
"exampleValue" : ""
},
"authenticationLevel" : {
"title" : "Authentication Level",
"description" : "The authentication level associated with this module.
Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
"propertyOrder" : 600,
"required" : true,
"type" : "integer",
"exampleValue" : ""
},
"kerberosServiceIsinitiator" : {
"title" : "isInitiator",
"description" : "Configuration used for JDK Kerbrose LoginModule. True, if initiator. False, if acceptor only. Default is true",
"propertyOrder" : 900,
"required" : true,
"type" : "boolean",
"exampleValue" : ""
}
},
"type" : "object",
"title" : "Realm Defaults"
}
}
}
```