Create a single sign-on for HTTP requests using SPNEGO Web authentication

 

+

Search Tips   |   Advanced Search

 

SPNEGO Web authentication allows HTTP users to authenticate only once at their desktop for all WAS resources in a domain.

In WAS V6.1, a TAI that uses the SPNEGO to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WAS 7.0, this function is now deprecated.

SPNEGO Web authentication has taken its place to provide the following enhancements:

• Configure SPNEGO Web authentication and filters on the WAS server side.
• Dynamic reload of SPNEGO without the need to restart the WAS server.
• Fallback to an application login method if SPNEGO Web authentication fails.

We can enable either...

• SPNEGO TAI
• SPNEGO Web Authentication

...but not both.

Before starting this task, complete the following checklist:

• A Microsoft Windows 2000 or Windows 2003 Server running...
  • Active Directory Domain Controller
  • Kerberos Key Distribution Center (KDC)

• A Microsoft Windows 2000 or Windows 2003 domain member (client) for example...
  • browser
  • Microsoft .NET client

  ...that supports the SPNEGO authentication mechanism (IETF RFC 2478).

  Examples:

  • Microsoft Internet Explorer V5.5 or later
  • Mozilla Firefox V1.0

  A running domain controller and at least one client machine in that domain is required. Using SPNEGO directly from the domain controller is not supported.

• The domain member has users who can log on to the domain. Specifically, we need to have a functioning Microsoft Windows 2000 or Windows 2003 active directory domain that includes:
  • Domain controller
  • Client workstation
  • Users who can login to the client workstation

• A server platform with WAS running and application security enabled.

• Users on the active directory must be able to access WAS protected resources using a native WAS authentication mechanism.

• The domain controller and the host of WAS should have the same local time.

• Ensure the clock on clients, Microsoft Active Directory and WAS are synchronized to within five minutes.

• Be aware that client browsers must be SPNEGO enabled, which you perform on the client application machine (with details explained in step 2 of this task).

The objective of this machine arrangement is to permit users to successfully access WAS resources without having to authenticate again and thus achieve Microsoft Windows desktop single sign-on capability.

Set the members of this environment to establish Microsoft Windows single sign-on involves specific activities that are performed on three distinct machines:

• Microsoft Windows 2000 or Windows 2003 Server running...
  • Active Directory Domain Controller
  • Kerberos Key Distribution Center (KDC)

• A Microsoft Windows 2000 or Windows 2003 domain member (client application), such as...
  • browser
  • Microsoft .NET client

• A server platform with WAS running.

Perform the following steps on the indicated machines to create single sign-on for HTTP requests using SPNEGO:

1. Domain Controller Machine - Set the Microsoft Windows 2000 or Windows 2003 Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC) This configuration activity has the following steps:

   • Create a user account for the WAS in a Microsoft Active Directory. This account will be eventually mapped to the Kerberos service principal name (SPN).

   • On the Microsoft Active Directory machine where the Kerberos key distribution center (KDC) is active, map the user account to the Kerberos service principal name (SPN). This user account represents the WAS as being a Kerberos service with the KDC. Use the Microsoft setspn command to map the Kerberos service principal name to a Microsoft user account.

   • Create the Kerberos keytab file and make it available to WAS. Use the Microsoft ktpass tool to create the Kerberos keytab file (krb5.keytab).

     You make the keytab file available to WAS by copying the krb5.keytab file from the Domain Controller (LDAP machine) to the WAS machine. Read about Create a Kerberos service principal and keytab file for more information.

   After we have configured the domain controller, the following operations must lead to the following results:

   • A user account is created in the Microsoft Active Directory and mapped to a Kerberos service principal name.

   • A Kerberos keytab file (krb5.keytab) is created and made available to the WAS. The Kerberos keytab file contains the Kerberos service principal keys WAS uses to authenticate the user in the Microsoft Active Directory and the Kerberos account. Read about Create a Kerberos service principal and keytab file for more information.

2. WAS Machine - Set and enable the appserver and SPNEGO using the admin console. Read about Enable and configuring SPNEGO Web authentication for more information.
3. Client Application Machine - Set the client application. Client-side applications are responsible for generating the SPNEGO token. You begin this configuration process by configuring the Web browser to use SPNEGO authentication.

Single sign-on for HTTP requests using SPNEGO Web authentication
Enable and configuring SPNEGO Web authentication
Set the client browser to use SPNEGO
Create SPNEGO tokens for J2EE, .NET, Java, Web service clients for HTTP requests

 

Related tasks

Create a Kerberos service principal and keytab file
Create a Kerberos service principal and keytab file used by the WAS SPNEGO TAI (deprecated)
Implementing single sign-on to minimize Web user authentications

 

Related

SPNEGO Web authentication configuration commands
SPNEGO Web authentication filter commands
SPNEGO troubleshooting tips