Creating a single sign-on for HTTP requests using SPNEGO Web authentication

Creating single sign-ons for HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) Web authentication for WebSphere® Application Server requires the performance of several distinct, yet related functions that when completed, allow HTTP users to log in and authenticate only once at their desktop and receive automatic authentication from the WebSphere Application Server.

Before you begin

Note:

In WebSphere Application Server Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WebSphere Application Server 7.0, this function is now deprecated. SPNEGO Web authentication has taken its place to provide the following enhancements:

  • You can configure and enable SPNEGO Web authentication and filters on the WebSphere Application Server server side by using the administrative console.
  • Dynamic reload of SPNEGO is provided without the need to stop and restart the WebSphere Application Server server.
  • Fallback to an application login method is provided if the SPNEGO Web authentication fails.

You can enable either SPNEGO TAI or SPNEGO Web Authentication but not both.

Read about Single sign-on for HTTP requests using SPNEGO Web authentication for a better understanding of what SPNEGO Web authentication is and how it is supported in this version of WebSphere Application Server.

Before starting this task, complete the following checklist:

About this task

The objective of this machine arrangement is to permit users to successfully access WebSphere Application Server resources without having to authenticate again and thus achieve Microsoft Windows desktop single sign-on capability.

Configuring the members of this environment to establish Microsoft Windows single sign-on involves specific activities that are performed on three distinct machines:
  • Microsoft Windows 2000 or Windows 2003 Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC).
  • A Microsoft Windows 2000 or Windows 2003 domain member (client application), such as a browser or Microsoft .NET client.
  • A server platform with WebSphere Application Server running.

Perform the following steps on the indicated machines to create single sign-on for HTTP requests using SPNEGO:

Procedure

  1. Domain Controller Machine - Configure the Microsoft Windows 2000 or Windows 2003 Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC) This configuration activity has the following steps:
    • Create a user account for the WebSphere Application Server in a Microsoft Active Directory. This account will be eventually mapped to the Kerberos service principal name (SPN).
    • On the Microsoft Active Directory machine where the Kerberos key distribution center (KDC) is active, map the user account to the Kerberos service principal name (SPN). This user account represents the WebSphere Application Server as being a Kerberos service with the KDC. Use the Microsoft setspn command to map the Kerberos service principal name to a Microsoft user account.
    • Create the Kerberos keytab file and make it available to WebSphere Application Server. Use the Microsoft ktpass tool to create the Kerberos keytab file (krb5.keytab).
      Note: You make the keytab file available to WebSphere Application Server by copying the krb5.keytab file from the Domain Controller (LDAP machine) to the WebSphere Application Server machine. Read about Creating a Kerberos service principal and keytab file for more information.
    Important: After you have configured your domain controller, the following operations must lead to the following results:
    • A user account is created in the Microsoft Active Directory and mapped to a Kerberos service principal name.
    • A Kerberos keytab file (krb5.keytab) is created and made available to the WebSphere Application Server. The Kerberos keytab file contains the Kerberos service principal keys WebSphere Application Server uses to authenticate the user in the Microsoft Active Directory and the Kerberos account. Read about Creating a Kerberos service principal and keytab file for more information.
  2. WebSphere Application Server Machine - Configure and enable the Application Server and SPNEGO using the administrative console. Read about Enabling and configuring SPNEGO Web authentication using the administrative console for more information.
  3. Client Application Machine - Configure the client application. Client-side applications are responsible for generating the SPNEGO token. You begin this configuration process by configuring your Web browser to use SPNEGO authentication. Read about Configuring the client browser to use SPNEGO for more information.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 20, 2010 7:53:43 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-dist&topic=tsec_SPNEGO_overview
File name: tsec_SPNEGO_overview.html