Enable single sign-on for the Windows desktop
Configure IBM Connections to use the Kerberos authentication mechanism. This single sign-on configuration permits users to sign in to the Windows desktop and then automatically authenticate with IBM Connections without needing to sign in again.
Before you begin
Install IBM Connections on a system that uses Microsoft Active Directory as the LDAP directory.Install the following WAS interim fixes:
- PM19604. "SPNEGO web authentication always interacts with theSPNEGO interceptor even though URLs are not protected." See note 1
- PM21308. "CWSIT0034E and CWSIT0110E caused by SECJ9314E exception in Service Integration Bus." See note 2
- PM30108. "Cannot forward. Response already committed on SPNEGO system." See note 3
Note 1: This iFix is already included in WAS version 7.0.0.13, and therefore also included in 7.0.0.15. If you already are on level 7.0.0.15, there is no need to install this iFix.
Note 2: This iFix is already included in WAS version 7.0.0.15. If you already are on level 7.0.0.15, there is no need to install this iFix.Note 3: This iFix is valid for WAS version 7.0.0.11. If you already are on level 7.0.0.15, there is no need to install this iFix.
Verify that IBM Connections works as expected without the Kerberos authentication protocol.
Install Kerberos. For more information, go to the Kerberos (KRB5) authentication mechanism support for security.
Note: If you are using on-ramp plug-ins or mobile services, your data traffic is not authenticated by Kerberos tickets or SPNEGO tokens. It is instead authenticated through J2EE form-based authentication.
Create a user account in the LDAP directory and add it to the WAS administrators group.
About this task
The Kerberos authentication protocol uses strong cryptography which enables a client to prove its identity to a server across an insecure network connection. After the client and server have proven their identity, the authentication protocol encrypts all data that the client and server exchange. Kerberos uses the SPNEGO mechanism to negotiate the security authentication.To configure IBM Connections to use the Kerberos authentication protocol, complete the following tasks:
1. Mapping an Active Directory account to administrative roles
Map an account from Microsoft Active Directory to administrative roles in IBM WAS.2. Create a service principal name and keytab file
Create a service account in Microsoft Active Directory to support a service principal name (SPN) for IBM Connections, and then create a keytab file that the Kerberos authentication service can use to establish trust with the web browser.3. Create a redirect page for users without SPNEGO support
Create an HTML page to redirect users whose web browsers do not support SPNEGO.4. Configure Kerberos and SPNEGO
Configure Kerberos and SPNEGO on IBM WAS V7.0.5. Configure the backend authenticator
Configure the backend authenticator on IBM Connections.6. Configure SPNEGO on IBM HTTP Server
Configure and enable SPNEGO on IBM HTTP Server.7. Configure web browsers to support Kerberos
Configure your web browser to support Kerberos authentication.
Parent topic
Configure single sign-onRelated reference
IBM Connections system requirements
December 2, 2011 10:01:55 AM
Dec 2, 2011 10:01:55 AM Clarified Note 3 - if you already use v7.0.0.15, no need to install th... 7 Oct 14, 2011 6:19:50 AM 6 Sep 6, 2011 9:48:27 AM Changed from using asterix to "note 1, 2 and 3" 5 Sep 6, 2011 9:45:57 AM 4 Sep 6, 2011 9:44:53 AM Added asterix in the iFix description. If you already are on 7.0.0.15,... 3 Aug 20, 2011 1:52:06 PM Changed "Configuring Kerberos on IBM Connections" to "Configuring the ... 2 Aug 5, 2011 12:18:46 PM 1 Submitted by Robert Farstad on Sep 6, 2011 9:50:40 AM Re: Enabling single sign-on for the Windows desktop
Wiki updated with this info :-)
Submitted by Robert Farstad on Sep 6, 2011 9:29:55 AMRe: Enabling single sign-on for the Windows desktop
Shall I update the Wiki with this information?
Submitted by Robert Farstad on Sep 6, 2011 9:21:38 AMRe: Enabling single sign-on for the Windows desktop
After having installed WAS 7.0 Fixpack 15, do all of the above mentioned interim fixes still apply?
When running updateinstaller, I can only install the PM30108 and can't select the two others.
PM19604 - Seems to apply only for WAS 7.0.0.11?
PM21308 - Seems to apply only for WAS 7.0.0.5?
PM30108 - This works in 7.0.0.15, event though it is released for 7.0.0.11
Does that mean that the PM19604 and the PM21308 is already included in Fixpack 15?
While typing that last sentence, I checked this:
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27014463
PM19604 is included in FP13 and PM21308 is included in FP15. Great news!
PM30108 is included in FP17, but this is not currently supported for Connection 3.0.1...
So then I guess I'll only install the PM30108 :-)
Isn't it great when people ask questions and answer them themselves?
});