You must create a Kerberos service
principal name (SPN)
and keytab file on your Microsoft domain controller machine to support
HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism
(SPNEGO) web authentication for WebSphere® Application Server. Configure
the Microsoft® Windows® Server running the Active
Directory Domain Controller and associated Kerberos Key Distribution
Center (KDC).
Before you begin
For information on
the supported Microsoft Windows Servers,
see the System Requirements for WebSphere Application Server Version 8.0 on Windows.
Procedure
- Create a user account for the WebSphere® Application Server in a Microsoft Active Directory.
This account is eventually mapped to the Kerberos service principal
name (SPN).
- On the Microsoft Active Directory machine where
the Kerberos key distribution center
(KDC) is active, map the user account to the Kerberos service principal
name (SPN). This user account represents the WebSphere Application Server as being a
Kerberos service with the KDC. Use the Microsoft setspn command to map
the Kerberos service principal name to a Microsoft user account.
-
Create the Kerberos keytab file and make it available to WebSphere Application Server.
Use the Microsoft ktpass tool
to create the Kerberos keytab file (krb5.keytab).
What to do next
Important: After you have configured
your
domain controller, the following results must occur:
- A user
account is created in the Microsoft Active
Directory and mapped to
a Kerberos service principal name.
- A Kerberos
keytab file (krb5.keytab)
is created and made available to the WebSphere Application Server. The Kerberos
keytab file contains the Kerberos service principal keys WebSphere Application Server uses to authenticate
the user in the Microsoft Active
Directory and the Kerberos account.