Creating a single sign-on for HTTP requests using SPNEGO Web authentication

Creating single sign-ons for HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication for WebSphere® Application Server requires the performance of several distinct, yet related functions that when completed, allow HTTP users to log in and authenticate to the Microsoft domain controller only once at their desktop and to receive automatic authentication from the WebSphere Application Server.

Before you begin

Note:

In WebSphere Application Server Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. This function was deprecated in WebSphere Application Server Version 7.0. SPNEGO web authentication has taken its place to provide the following enhancements:

  • You can configure and enable SPNEGO web authentication and filters on the WebSphere Application Server server side by using the administrative console.
  • Dynamic reload of SPNEGO is provided without the need to stop and restart the WebSphere Application Server server.
  • Fallback to an application login method is provided if the SPNEGO web authentication fails.

You can enable either SPNEGO TAI or SPNEGO Web Authentication but not both.

Read about Single sign-on for HTTP requests using SPNEGO web authentication for a better understanding of what SPNEGO Web Authentication is and how it is supported in this version of WebSphere Application Server.

Before starting this task, complete the following checklist:

About this task

The objective of this machine arrangement is to permit users to successfully access WebSphere Application Server resources without having to authenticate again and thus achieve Microsoft Windows desktop single sign-on capability.

Configuring the members of this environment to establish Microsoft Windows single sign-on involves specific activities that are performed on three distinct machines:
  • A Microsoft Windows server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC).
  • A Microsoft Windows domain member (client application), such as a browser or Microsoft .NET client.
  • A server platform with WebSphere Application Server running.

Continue with the following steps to create a single sign-on for HTTP requests using SPNEGO Web authentication:

Procedure

  1. Create a Kerberos service principal (SPN) and keytab file on your Microsoft domain controller machine
  2. Create a Kerberos configuration file
  3. Configure and enable SPNEGO web authentication using the administrative console on your WebSphere Application Server machine
  4. Configure the client application on the client application machine
  5. Create SPNEGO tokens for J2EE, .NET, Java, web service clients for HTTP requests (optional)
Task topic    

Terms and conditions for information centers | Feedback

Last updated: April 18, 2014 05:01 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-iseries&topic=tsec_SPNEGO_overview
File name: tsec_SPNEGO_overview.html