Configure Kerberos and SPNEGO
Configure SPNEGO Web Authentication on IBM WAS V7.0.Before starting
The connectionsAdmin J2C alias that you specified during installation must correspond to a valid account that can authenticate with Active Directory. The alias must map to a back-end administrative user account that can authenticate for single sign-on with Active Directory. If you update the user ID or credentials for this alias, complete the steps in the Change references to administrative credentials topic.
Your WAS administrative account must be a valid account that can authenticate with Active Directory. User accounts that are specified only in the WebSphere Internal File Repository cannot check out configuration documents. Nor can such accounts connect to any of the LC MBeans to execute commands.
Tip: For information about best practices for Service Principal Names and SPNEGO configuration, go to Tips on using Kerberos service principal names
. The article also provides tips for multitier environments. For more information about setting up SPNEGO web authentication for WAS, go to WebSphere with a side of SPNEGO.
About this task
To configure Kerberos and SPNEGO on IBM WAS...
Procedure
1. Log into the WAS admin console and select Security -> Global Security.
2. In the Authentication area, click Kerberos configuration and then enter the following details:
Kerberos service name
HTTP
Kerberos configuration file
Full path to your Kerberos configuration file
Kerberos keytab file nam
Full path to your keytab file
Kerberos realm name
Name of your Kerberos realm
Note: The paths to the configuration and keytab files must be accessible by the dmgr (DM) and all nodes. Furthermore, the DM and nodes must use the same paths on their respective systems. As an alternative, you can store these files on a shared folder on the network.
Kerberos realm name
Filter criteria
Filter class
SPNEGO not supported error page URL
where <IHS_server> is the name of your webserver and NoSpnegoRedirect.html is the name of the redirect page. NTLM token received error page URL
b. Select Trim Kerberos realm from principal name.
9. On the SPNEGO Web authentication page...
10. Specify the level of authentication that users must perform to access your IBM Connections deployment. In the following choices, you can force users to always authenticate or allow users to access Blogs, Bookmarks, Communities, Files, Profiles and Wikis anonymously. These anonymous users need to log in only if they access a private area.
11. Disable TAI authentication:
12. Synchronize all the nodes in your deployment.
3. Select Trim Kerberos realm from principal name if it is not already selected.
4. Select Enable delegation of Kerberos credentials if it is not already selected.
5. Click OK and then click Save.
6. In the Authentication area, click LTPA if it is not already selected.
7. Click Kerberos configuration and in the Related Configuration area, click SPNEGO Web authentication.
Note: SPNEGO Web authentication and Kerberos authentication use the same Kerberos client configuration and keytab files.
8. Specify the SPNEGO filter:
a. In the SPNEGO Filters area, click New and enter the following details:
Host name
Enter the host name of the Service Principal Name
Enter your Kerberos realm name
request-url!=noSPNEGO;request-url!=/mobile;request-url!=/nav;request-url!=/bundles/js;request-url!=/static
Leave this field blank to allow the system to use the default filter class (com.ibm.ws.security.spnego.HTTPHeaderFilter).
Enter the URL to the redirect page that you created. For example: http://<webserver>/NoSpnegoRedirect.html or file:///C:/IBM/HTTPServer/htdocs/NoSpnegoRedirect.html
Enter the URL to the redirect page that you created. For example: http://<webserver>/NoSpnegoRedirect.html or file:///C:/IBM/HTTPServer/htdocs/NoSpnegoRedirect.html.
c. Select Enable delegation of Kerberos credentials.
d. Click OK and then click Save.a. Select Dynamically update SPNEGO.
b. Select Enable SPNEGO.
c. Select Allow fall back to application authentication mechanism.
d. Enter the path to the Kerberos configuration file in the Kerberos configuration file with full path field. You created this file in the Create a service principal name and keytab file topic.
e. Enter the path to the Kerberos keytab file in the Kerberos keytab file name with full path field. You created this file in the Create a service principal name and keytab file topic.
f. Click Apply.
* Allow anonymous access to IBM Connections:
a. Select Applications -> Application Types -> WebSphere enterprise applications.
b. Click the link to the first IBM Connections application in the Enterprise Applications table.
c. In the Detail Properties area, click Security role to user/group mapping.
d. Select the reader Role, then click Map Special Subjects and select All Authenticated in Application's Realm.
e. Click OK and then click Save.
f. Repeat steps b-e for the remaining IBM Connections applications in the Enterprise Applications table.
a. Select Applications -> Application Types -> WebSphere enterprise applications.
b. Click the link to the first IBM Connections application in the Enterprise Applications table.
c. In the Detail Properties area, click Security role to user/group mapping.
d. Select the reader Role, then click Map Special Subjects and select Everyone.
e. Click OK and then click Save.
f. Repeat steps b-e for the remaining IBM Connections applications in the Enterprise Applications table.
a. Select Security -> Global security -> Custom properties -> New.
b. Enter the following name and value pair:
Name
com.ibm.websphere.security.performTAIForUnprotectedURI
Value
false
c. Click OK and then click Save
13. Stop and restart WAS:
a. Stop all instances of WAS that host your IBM Connections applications.
b. Stop all node agents.
c. Restart the dmgr.
d. Restart all the node agents.
e. Restart all instances of WAS.
Parent topic
Enable single sign-on for the Windows desktopPrevious topic: Create a redirect page for users without SPNEGO support
Next topic: Configure the backend authenticator
Related tasks
Enable the AJAX proxy to forward user credentials
Create a service principal name and keytab file
Change references to administrative credentials
Enable single sign-on for Tivoli Access Manager with SPNEGO
Starting the wsadmin client
Change common configuration property values
Related reference
Create a Kerberos configuration file