Create a single sign-on for HTTP requests using the SPNEGO TAI (deprecated)


Create single sign-ons for HTTP requests using the SPNEGO trust association interceptor (TAI) for WAS requires the performance of several distinct, yet related functions that when completed, allow HTTP users to log in and authenticate only once at their desktop and receive automatic authentication from the WAS.

Deprecated feature:

In WAS V 6.1, a TAI that uses the SPNEGO to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WAS 7.0, this function is now deprecated. SPNEGO Web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method. depfeat

Before starting this task, complete the following checklist:

The objective of this machine arrangement is to permit users to successfully access WAS resources without having to reauthenticate and thus achieve Microsoft Windows desktop single sign-on capability. Configuring the members of this environment to establish Microsoft Windows single sign-on involves specific activities that are performed on three distinct machines:

Perform the following steps on the indicated machines to create single sign-on for HTTP requests using SPNEGO

 

  1. Domain Controller Machine - Set the Microsoft Windows 2000 or Windows 2003 Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC) This configuration activity has the

    Your domain controller operations must lead to the following results:

    • A user account is created in the Microsoft Active Directory and mapped to a Kerberos service principal name.

    • A Kerberos keytab file (krb5.keytab) is created and made available to the WAS. The Kerberos keytab file contains the Kerberos service principal keys WAS uses to authenticate the user in the Microsoft Active Directory and the Kerberos account.

  2. Client Application Machine - Set the client application.

    Client-side applications are responsible for generating the SPNEGO token for use by the SPNEGO TAI. You begin this configuration process by configuring your Web browser to use SPNEGO authentication. See Set the client browser to use SPNEGO TAI (deprecated) for the detailed steps required for the browser.

  3. WAS Machine - Set and enable the appserver and the associated SPNEGO TAI by performing the following tasks:

  4. Use a remote HTTP server - To use a remote server, complete the following steps, which assume that we have already configured the JVM properties and enabled the SPNEGO TAI in the appserver in which it is defined (as described in the previous three steps).

    1. Complete the steps in Create a Kerberos service principal and keytab file used by the WAS SPNEGO TAI (deprecated) for the remote proxy server.

    2. Merge the previous keytab file created in step 1 with the keytab file created in step 4a. See Use the ktab command to manage the Kerberos keytab file for more information.

    3. Create the SPN for the remote proxy server using addSpnegoTAIProperties wsadmin.

      See SpnegoTAICommands group for AdminTask (deprecated).

    4. Restart the WAS.


Single sign-on for HTTP requests using SPNEGO TAI (deprecated)
Create a Kerberos service principal and keytab file used by the WAS SPNEGO TAI (deprecated)
Set WAS and enabling the SPNEGO TAI (deprecated)
Set the client browser to use SPNEGO TAI (deprecated)
Set JVM custom properties, filtering HTTP requests, and enabling SPNEGO TAI in WAS (deprecated)
Mapping Kerberos client principal name to WebSphere user registry ID for SPNEGO TAI (deprecated)
Single sign-on capability with SPNEGO TAI - checklist (deprecated)
Filtering HTTP requests for SPNEGO TAI (deprecated)

 

Related tasks


Enable the SPNEGO TAI as JVM custom property using scripting (deprecated)
Set the Lightweight Third Party Authentication mechanism
Implementing single sign-on to minimize Web user authentications

 

Related


SPNEGO TAI JVM configuration custom properties (deprecated)
SPNEGO TAI custom properties configuration (deprecated)
Use the ktab command to manage the Kerberos keytab file