Creating single sign-ons for HTTP requests using the Simple
and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association
interceptor (TAI) for WebSphere® Application Server
requires the performance of several distinct, yet related functions
that when completed, allow HTTP users to log in and authenticate only
once at their desktop and receive automatic authentication from the WebSphere Application Server.
Before you begin
Deprecated feature: In WebSphere Application
Server Version 6.1, a trust association interceptor (TAI) that uses
the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to
securely negotiate and authenticate HTTP requests for secured resources
was introduced. In WebSphere Application Server
7.0, this function is now deprecated. SPNEGO web authentication has
taken its place to provide dynamic reload of the SPNEGO filters and
to enable fallback to the application login method.
depfeat
Before
starting this task, complete the following checklist:
- The domain member has users who can log on to the domain.
Specifically, you need to have a functioning Microsoft Windows active directory domain that includes:
- Domain controller
- Client workstation
- Users who can login to the client workstation
- A server platform with WebSphere Application Server
running and application security enabled.
- Users on the active directory must be able to access WebSphere Application Server protected
resources using a native WebSphere Application Server
authentication mechanism.
- The domain controller and the host of WebSphere Application
Server should have the same local time.
- Ensure the clock on clients, Microsoft Active
Directory and WebSphere Application Server are synchronized
to within five minutes.
- Be aware that client browsers have to be SPNEGO enabled, which
you perform on the client application machine (with details explained
in step 2 of this task).
About this task
The objective of this machine arrangement is to permit
users to successfully access WebSphere Application Server
resources without having to reauthenticate and thus achieve Microsoft Windows desktop
single sign-on capability.
Configuring the members of this environment
to establish Microsoft Windows single
sign-on involves specific activities that are performed on three distinct
machines:
- Microsoft Windows Server
running the Active Directory Domain Controller and associated Kerberos
Key Distribution Center (KDC)
- A Microsoft Windows domain
member (client application), such as a browser or Microsoft .NET
client.
- A server platform with WebSphere Application Server
running.
Perform the following steps on the indicated machines
to create single sign-on for HTTP requests using SPNEGO