SPNEGO web authentication enablement

You can enable the Simple and Protected GSS-API Negotiation (SPNEGO) as the web authenticator for WebSphere® Application Server.

SPNEGO web authentication provides client-server single sign-on by negotiating use of SPNEGO tokens.

Avoid trouble Avoid trouble: The application server expects the Kerberos service principal name (SPN) for a real host name to be present in the Kerberos keytab file. If you have an alias host name, and you have disabled this option, and if the SPN for an alias host name is present in the keytab file, use the com.ibm.websphere.security.krb.canonical_host custom property to set an alias host name through the SPNEGO configuration.

See the topic Using an alias host name for SPNEGO TAI authentication using the administrative console (deprecated), and the description of the com.ibm.websphere.security.krb.canonical_host custom property in the Security custom properties topic for more information about how to use this custom property.

gotcha

To view this administrative console page, click Security > Global security. From Authentication, expand Web and SIP Security, and then click SPNEGO Web Authentication.

Dynamically update SPNEGO

Enables you to dynamically update the SPNEGO runtime when SPNEGO changes occur without restarting the application server.

Note: This option is disabled if the Enable SPNEGO option is not selected.
Default: Enabled

Enable SPNEGO

Specifies the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) as a web authenticator for the application server.

Default: Disabled

Allow fall back to application authentication mechanism

Specifies that SPNEGO as a web authenticator is used to log in to WebSphere Application Server first. However, if the login fails, then the application authentication mechanism is used to log in to WebSphere Application Server.

Avoid trouble Avoid trouble: [Updated in June 2013] Allow fall back only occurs when a SPNEGO token is received. Fall back does not occur if no SPNEGO token was sent. [Updated in June 2013]
jun2013
gotcha

This option is disabled if the Enable SPNEGO option is not selected.

Default: Disabled

Kerberos configuration file with full path

The Kerberos configuration file name with its full path. You can click Browse to locate it.

The Kerberos client configuration file, krb5.conf or krb5.ini, contains Kerberos configuration information, including the locations of the Key Distribution Centers (KDCs) for the realm of interest. The krb5.conf file is the default name for all platforms except the Windows® operating system, which uses the krb5.ini file.

Data type: String

Kerberos keytab file name with full path

The Kerberos keytab file name with its full path. You can click Browse to locate it.

The Kerberos keytab file contains one or more Kerberos service principal names and keys. The default keytab file is krb5.keytab. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk, which makes them readable only by authorized users. Read about Creating a Kerberos service principal name and keytab file for more information.

If you do not specify a Kerberos keytab file then the default keytab file that is defined in the Kerberos configuration file is used.

Data type: String



Related tasks
Using an alias host name for SPNEGO TAI or SPENGO web authentication using the administrative console (deprecated)
Related reference
SPNEGO web authentication filter values
Kerberos authentication settings
com.ibm.websphere.security.krb.canonical_host custom property
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Feb 5, 2014 9:49:51 PM CST
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-mp&topic=usec_kerb_SPNEGO_config
File name: usec_kerb_SPNEGO_config.html