Before you begin
Note: In WebSphere Application
Server Version 6.1, a trust association interceptor (TAI) that uses
the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to
securely negotiate and authenticate HTTP requests for secured resources
was introduced. This function was deprecated in WebSphere Application Server Version 7.0.
SPNEGO web authentication has taken its place to provide the following
enhancements:
- You can configure and enable SPNEGO web authentication and filters
on the WebSphere Application
Server server side by using the administrative console.
- Dynamic reload of SPNEGO is provided without the need to stop
and restart the WebSphere Application
Server server.
- Fallback to an application login method is provided if the SPNEGO
web authentication fails.
You can enable either SPNEGO TAI
or SPNEGO Web Authentication but not both.
Read about Single sign-on for HTTP requests using SPNEGO web authentication for a better understanding of what SPNEGO Web
Authentication is and how it is supported in this version of WebSphere Application Server.
Before
starting this task, complete the following checklist:
- The domain member has users who can log on to the domain. Specifically,
you need to have a functioning Microsoft Windows® active directory domain
that includes:
- Domain controller
- Client workstation
- Users who can login to the client workstation
- A server platform with WebSphere Application
Server running and application security enabled.
- Users on the active directory must be able to access WebSphere Application Server protected
resources using a native WebSphere Application
Server authentication mechanism.
- The domain controller and the host of WebSphere Application Server should have
the same local time.
- Ensure the clock on clients, Microsoft Active
Directory and WebSphere Application
Server are synchronized to within five minutes.
- Be aware that client browsers must be SPNEGO enabled, which you
perform on the client application machine (with details explained
in procedure 4, "Configure the client application on the client application
machine").
About this task
The objective of this machine arrangement is to permit
users to successfully access WebSphere Application
Server resources without having to authenticate again and thus achieve Microsoft Windows desktop single sign-on capability.
Configuring
the members of this environment to establish Microsoft Windows single
sign-on involves specific activities that are performed on three distinct
machines:
- A Microsoft Windows server running the Active
Directory Domain Controller and associated Kerberos Key Distribution
Center (KDC).
- A Microsoft Windows domain member (client
application), such as a browser or Microsoft .NET
client.
- A server platform with WebSphere Application
Server running.
Continue with the following steps to create a single sign-on
for HTTP requests using SPNEGO Web authentication: