Creating a Kerberos service principal (SPN) and keytab file on your Microsoft domain controller machine

You must create a Kerberos service principal name (SPN) and keytab file on your Microsoft domain controller machine to support HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication for WebSphere® Application Server. Configure the Microsoft® Windows® Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC).

Before you begin

For information on the supported Microsoft Windows Servers, see the System Requirements for WebSphere Application Server Version 8.0 on Windows.

Procedure

  1. Create a user account for the WebSphere® Application Server in a Microsoft Active Directory. This account is eventually mapped to the Kerberos service principal name (SPN).
  2. On the Microsoft Active Directory machine where the Kerberos key distribution center (KDC) is active, map the user account to the Kerberos service principal name (SPN). This user account represents the WebSphere Application Server as being a Kerberos service with the KDC. Use the Microsoft setspn command to map the Kerberos service principal name to a Microsoft user account.
  3. Create the Kerberos keytab file and make it available to WebSphere Application Server. Use the Microsoft ktpass tool to create the Kerberos keytab file (krb5.keytab).

What to do next

Important: After you have configured your domain controller, the following results must occur:
  • A user account is created in the Microsoft Active Directory and mapped to a Kerberos service principal name.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms of Use | Feedback

Last updatedLast updated: Sep 19, 2011 3:08:41 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-nd-zos&topic=tsec_SPNEGO_adm
File name: tsec_SPNEGO_adm.html