Configure Kerberos and SPNEGO 

Configure SPNEGO Web Authentication on IBM WAS V7.0.


Before you begin


The connectionsAdmin J2C alias that you specified during installation must correspond to a valid account that can authenticate with Active Directory. The alias must map to a back-end administrative user account that can authenticate for single sign-on with Active Directory. If you update the user ID or credentials for this alias, complete the steps in the Change references to administrative credentials topic.

Your WAS administrative account must be a valid account that can authenticate with Active Directory. User accounts that are specified only in the WebSphere Internal File Repository cannot check out configuration documents. Nor can such accounts connect to any of the LC MBeans to execute commands.
 
Tip
: For information about best practices for Service Principal Names and SPNEGO configuration, go to Tips on using Kerberos service principal names. The article also provides tips for multitier environments.  For more information about setting up SPNEGO web authentication for WAS, go to WebSphere with a side of SPNEGO.

 

About this task


To configure Kerberos and SPNEGO on IBM WAS...


Procedure

Note: The paths to the configuration and keytab files must be accessible by the dmgr (DM) and all nodes. Furthermore, the DM and nodes must use the same paths on their respective systems. As an alternative, you can store these files on a shared folder on the network.
3.  Select Trim Kerberos realm from principal name if it is not already selected.
4.  Select Enable delegation of Kerberos credentials if it is not already selected.
5.  Click OK and then click Save.
6. In the Authentication area, click LTPA if it is not already selected. 
7. Click Kerberos configuration and in the Related Configuration area, click SPNEGO Web authentication.
Note: SPNEGO Web authentication and Kerberos authentication use the same Kerberos client configuration and keytab files.
8. Specify the SPNEGO filter:

9. On the SPNEGO Web authentication page...

    a. Select Dynamically update SPNEGO.
    b. Select Enable SPNEGO.
    c. Select Allow fall back to application authentication mechanism.
    d. Enter the path to the Kerberos configuration file in the Kerberos configuration file with full path field. You created this file in the Create a service principal name and keytab file topic.
    e. Enter the path to the Kerberos keytab file in the Kerberos keytab file name with full path field. You created this file in the Create a service principal name and keytab file topic.
    f. Click Apply.

10. Specify the level of authentication that users must perform to access your IBM Connections deployment. In the following choices, you can force users to always authenticate or allow users to access Blogs, Bookmarks, Communities, Files, Profiles and Wikis anonymously. These anonymous users need to log in only if they access a private area.

  • Force users to log in to access IBM Connections:


      a. Select Applications -> Application Types -> WebSphere enterprise applications.

      b. Click the link to the first IBM Connections application in the Enterprise Applications table.
      c. In the Detail Properties area, click Security role to user/group mapping.
      d. Select the reader Role, then click Map Special Subjects and select All Authenticated in Application's Realm.
      e. Click OK and then click Save.
      f. Repeat steps b-e for the remaining IBM Connections applications in the Enterprise Applications table.

* Allow anonymous access to IBM Connections:
a. Select Applications -> Application Types -> WebSphere enterprise applications.
b. Click the link to the first IBM Connections application in the Enterprise Applications table.
c. In the Detail Properties area, click Security role to user/group mapping.
d. Select the reader Role, then click Map Special Subjects and select Everyone.
e. Click OK and then click Save.
f. Repeat steps b-e for the remaining IBM Connections applications in the Enterprise Applications table.

11. Disable TAI authentication:
a. Select Security -> Global security -> Custom properties -> New.
b. Enter the following name and value pair:
Name

com.ibm.websphere.security.performTAIForUnprotectedURI
Value
false
c. Click OK and then click Save

12. Synchronize all the nodes in your deployment.
13. Stop and restart WAS:


Parent topic

Enable single sign-on for the Windows desktop
Previous topic: Create a redirect page for users without SPNEGO support
Next topic: Configure the backend authenticator

Related tasks
Enable the AJAX proxy to forward user credentials
Create a service principal name and keytab file
Change references to administrative credentials
Enable single sign-on for Tivoli Access Manager with SPNEGO
Starting the wsadmin client
Change common configuration property values
 
 
Related reference
Create a Kerberos configuration file

September 6, 2011 6:34:16 AM
   

 

Sep 6, 2011 6:34:16 AM Fixed typo. 19 Sep 6, 2011 6:32:05 AM Fixed inline link. 18 Sep 6, 2011 6:30:04 AM Added note to Step 2; edited intro para's for brevity. Fixed inline li... 17 Aug 30, 2011 9:50:05 AM Clarified Step 10 - which apps allow anonymous access. 16 Aug 20, 2011 2:21:40 PM Changed "Configuring Kerberos on IBM Connections" to "Configuring the ... 15 Aug 20, 2011 12:06:46 PM Changed Step 6 to LTPA only instead of Kerberos and LTPA. 14 Aug 17, 2011 6:47:40 AM Layout. 13 Aug 15, 2011 1:39:52 PM Moved "Disable TAI authentication" part to a new step. 12 Aug 14, 2011 7:25:07 AM 11 Aug 14, 2011 7:22:56 AM 10 Aug 14, 2011 7:20:25 AM 9 Jun 22, 2011 12:59:32 PM Rewrote Step 10 to describe choices of authenticated and anonymous acc... 8 Jun 21, 2011 5:50:43 PM Jason T Moore   Noted that the WAS administrative account in AD should be a different ... 7 May 26, 2011 10:13:51 AM Restored more steps about Kerberos configuration. 6 May 26, 2011 7:19:33 AM Restored steps about Kerberos configuration. 5 Apr 13, 2011 5:08:06 PM 4 Apr 13, 2011 5:07:02 PM 3 Apr 13, 2011 5:06:21 PM Minor change 2 Apr 13, 2011 5:04:57 PM Modified description for SPNEGO for Web Authentication 1

});