Enable single sign-on for Tivoli Access Manager with SPNEGO 

Configure IBM Connections to use single sign-on with IBM Tivoli Access Manager and SPNEGO.

Before you begin

About this task

Single sign-on (SSO) enables users to log in to an IBM Connections application and switch to other applications within the product without having to authenticate again.

There are several different ways to configure SSO. This procedure describes an approach that uses the Kerberos authentication protocol. This authentication method allows Tivoli Access Manager and users web browsers to prove their identities to one another in a secure manner. After users sign in to their Active Directory Windows client systems, they are automatically signed into both Tivoli Access Manager and IBM Connections.

To set up SSO using Tivoli Access Manager with SPNEGO...


  1. Create a user account for WebSEAL in your Active Directory domain. When creating the user account, ensure that you specify the following options:

    • The user cannot change the password

    • The password never expires

      For example, if you create an account for A User, where the Active Directory domain is tamspnego.example.com, the user identity is auser@tamspnego.example.com.

  2. Map a Kerberos principal to an Active Directory user. Map the service principal name to the account that you created in Step 1 by running the ktpass command on the domain controller. Use the Tivoli Access Manager server through which users access IBM Connections as the instance in the service principal name.

    1. Run the following ktpass command:

        ktpass –princ <SPN> -mapuser <account_name> -mapOp set –pass <account_password>


        • <SPN> is the Kerberos service principal name. The host name specified in the <SPN> should match the host name of the WebSEAL server. For example, if users contact the WebSEAL server at diamond.subnet2.example.com and the WebSEAL server is part of the EXAMPLE.COM Active Directory domain, the Kerberos principal name is HTTP/diamond.subnet2.example.com@EXAMPLE.COM.

        • <account_name> is the account name that you specified in Step 1.

        • <account_password> is the password associated with the account that you specified in Step 1.

    2. Modify the Windows service for the WebSEAL instance so that it starts using the new user account that you just created. On the WebSEAL server...

      1. Click Start -> Programs -> Administrative Tools -> Services.

      2. Right-click on Access Manager WebSEAL-default and select Properties.

      3. Click Log On and then click This account.

      4. Enter the details of the user account and password that you created in Step 1.

      5. Click OK to save your changes.

    3. Grant administrator privileges for the local system to the account that you created in step 1.

  3. Enable SPNEGO for WebSEAL:

    1. Stop the WebSEAL server.

    2. Enable SPNEGO over SSL by adding the following lines to the WebSEAL configuration file:

        spnego-auth = https
        kerberosv5 = fully_qualified_path to the authentication library
        For example: kerberosv5 = <TDI_root>\bin\stliauthn.dll
        where <TDI_root> is the installation directory of Tivoli Access Manager.

  4. Restart WebSEAL from the Services Control Panel. On Windows, WebSEAL must be running as a service for SPNEGO authentication to work properly. Otherwise, it runs using the credentials of the logged in user.

  5. Configure the web browser on the user system. For more information, see the Configure web browsers to support Kerberos topic.

  6. Configure form based authentication with transparent junctions. Complete all the steps in the Enable single sign-on for Tivoli Access Manager topic except the step that describes how to set the customAuthenticator to TAMAuthenticator and the step about updating interService URLs.

      You need to use the Kerberos customAuthenticator and the IBM HTTP Server URLs in this configuration.

      Note: This step enables a fall back authentication method for user systems that do not support SPNEGO. This alternative is important for users of Lotus Notes , mobile devices, and other extensions for IBM Connections.


After users sign in to the Windows desktop, they are automatically signed into IBM Connections.

Note: If you are using on-ramp plug-ins or mobile services, your data traffic is not authenticated by Kerberos tickets or SPNEGO tokens. It is instead authenticated through J2EE form-based authentication.

What to do next

For more information about Kerberos and SPNEGO, go to the SPNEGO protocol and Kerberos authentication page in the Tivoli Access Manager 6.1 information center.

Parent topic

Configure single sign-on

Related tasks

Create a service principal name and keytab file
Configure Kerberos and SPNEGO
Configure the backend authenticator
Configure SPNEGO on IBM HTTP Server
Configure web browsers to support Kerberos
Enable single sign-on for Tivoli Access Manager

August 20, 2011


Aug 20, 2011 1:56:41 PM Changed "Configuring Kerberos on IBM Connections" to "Configuring the ... 1