Enable single sign-on for the Windows desktop 

Configure IBM Connections to use the Kerberos authentication mechanism. This single sign-on configuration permits users to sign in to the Windows desktop and then automatically authenticate with IBM Connections without needing to sign in again.


Before you begin


Install IBM Connections on a system that uses Microsoft Active Directory as the LDAP directory.

Install the following WAS interim fixes:

Note 1: This iFix is already included in WAS version 7.0.0.13, and therefore also included in 7.0.0.15. If you already are on level 7.0.0.15, there is no need to install this iFix.
Note 2: This iFix is already included in WAS version 7.0.0.15. If you already are on level 7.0.0.15, there is no need to install this iFix.Note 3: This iFix is valid for WAS version 7.0.0.11.  If you already are on level 7.0.0.15, there is no need to install this iFix.

Verify that IBM Connections works as expected without the Kerberos authentication protocol.

Install Kerberos. For more information, go to the Kerberos (KRB5) authentication mechanism support for security.

Note: If you are using on-ramp plug-ins or mobile services, your data traffic is not authenticated by Kerberos tickets or SPNEGO tokens. It is instead authenticated through J2EE form-based authentication.

Create a user account in the LDAP directory and add it to the WAS administrators group.


About this task


The Kerberos authentication protocol uses strong cryptography which enables a client to prove its identity to a server across an insecure network connection. After the client and server have proven their identity, the authentication protocol encrypts all data that the client and server exchange. Kerberos uses the SPNEGO mechanism to negotiate the security authentication.

To configure IBM Connections to use the Kerberos authentication protocol, complete the following tasks:


Parent topic

Configure single sign-on

Related reference
IBM Connections system requirements


December 2, 2011 10:01:55 AM
   

 

Dec 2, 2011 10:01:55 AM Clarified Note 3 - if you already use v7.0.0.15, no need to install th... 7 Oct 14, 2011 6:19:50 AM 6 Sep 6, 2011 9:48:27 AM Changed from using asterix to "note 1, 2 and 3" 5 Sep 6, 2011 9:45:57 AM 4 Sep 6, 2011 9:44:53 AM Added asterix in the iFix description. If you already are on 7.0.0.15,... 3 Aug 20, 2011 1:52:06 PM Changed "Configuring Kerberos on IBM Connections" to "Configuring the ... 2 Aug 5, 2011 12:18:46 PM 1 Submitted by Robert Farstad on Sep 6, 2011 9:50:40 AM

Re: Enabling single sign-on for the Windows desktop

Wiki updated with this info :-)

Submitted by Robert Farstad on Sep 6, 2011 9:29:55 AM

Re: Enabling single sign-on for the Windows desktop

Shall I update the Wiki with this information?

Submitted by Robert Farstad on Sep 6, 2011 9:21:38 AM

Re: Enabling single sign-on for the Windows desktop

After having installed WAS 7.0 Fixpack 15, do all of the above mentioned interim fixes still apply?

When running updateinstaller, I can only install the PM30108 and can't select the two others.

PM19604 - Seems to apply only for WAS 7.0.0.11?

PM21308 - Seems to apply only for WAS 7.0.0.5?

PM30108 - This works in 7.0.0.15, event though it is released for 7.0.0.11

Does that mean that the PM19604 and the PM21308 is already included in Fixpack 15?

While typing that last sentence, I checked this:

http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27014463

PM19604 is included in FP13 and PM21308 is included in FP15. Great news!

PM30108 is included in FP17, but this is not currently supported for Connection 3.0.1...

So then I guess I'll only install the PM30108 :-)

Isn't it great when people ask questions and answer them themselves?

});