Map Creating a single sign-on for HTTP requests using SPNEGO Web authentication

Creating single sign-ons for HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication for WebSphere® Application Server requires the performance of several distinct, yet related functions that when completed, allow HTTP users to log in and authenticate to the Microsoft® domain controller only once at their desktop and to receive automatic authentication from the WebSphere Application Server.

Before you begin

Note:

In WebSphere Application Server Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. This function was deprecated in WebSphere Application Server Version 7.0. SPNEGO web authentication has taken its place to provide the following enhancements:

  • You can configure and enable SPNEGO web authentication and filters on the WebSphere Application Server server side by using the administrative console.
  • Dynamic reload of SPNEGO is provided without the need to stop and restart the WebSphere Application Server server.
  • Fallback to an application login method is provided if the SPNEGO web authentication fails.

You can enable either SPNEGO TAI or SPNEGO Web Authentication but not both.

Read about Single sign-on for HTTP requests using SPNEGO web authentication for a better understanding of what SPNEGO Web Authentication is and how it is supported in this version of WebSphere Application Server.

Before starting this task, complete the following checklist:

About this task

The objective of this machine arrangement is to permit users to successfully access WebSphere Application Server resources without having to authenticate again and thus achieve Microsoft Windows desktop single sign-on capability.

Configuring the members of this environment to establish Microsoft Windows single sign-on involves specific activities that are performed on three distinct machines:

Continue with the following steps to create a single sign-on for HTTP requests using SPNEGO Web authentication:

Procedure

  1. Create a Kerberos service principal (SPN) and keytab file on your Microsoft domain controller machine
  2. Create a Kerberos configuration file
  3. Configure and enable SPNEGO web authentication using the administrative console on your WebSphere Application Server machine
  4. Configure the client application on the client application machine
  5. Create SPNEGO tokens for J2EE, .NET, Java, web service clients for HTTP requests (optional)




In this information ...


(Index)

IBM Redbooks, demos, education, and more


Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.



Terms and conditions for information centers | Feedback

Last updated: Jan 30, 2014 9:11:38 AM CST
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-nd-iseries&topic=tsec_SPNEGO_overview
File name: tsec_SPNEGO_overview.html