Use an alias host name for SPNEGO TAI or SPENGO web authentication using the administrative console (deprecated)
When you use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for authentication, and you would like to use alias host name as the host name for the application server, configure a custom property to resolve the alias host name to the actual hostname for SPNEGO single sign-on. Then, we can dynamically add or modify an alias name in the DNS without changing the application server’s configuration. If we enable this custom property you will no longer need to set alias host names through the SPNEGO configuration.
We must have completed the steps as described in Create a single sign-on for HTTP requests using the SPNEGO TAI (deprecated) and Configure WebSphere Application Server and enabling the SPNEGO TAI (deprecated) before these settings will have an effect. This configuration requires a working SPNEGO-TAI single sign-on environment.
The application server will perform a DNS lookup as an HTTP request comes in, and if the alias host name is resolved as a host name that is already configured for SPNEGO single sign-on, the application server will continue to process it. It is usually not required to add alias hostname to a SPNEGO account.
- Define the actual host name for the com.ibm.ws.security.spnego.SPNx.hostName variable.
- From administration console, click Global security > Web and SIP security > Trust association > Interceptors > com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl > Custom Properties
- Add or modify the com.ibm.ws.security.spnego.SPNx.hostName variable. For example:
- Name
- com.ibm.ws.security.spnego.SPNx.hostName
- Value
- real_host
Specify the actual host name to which the application server can resolve an alias host name for SPNEGO single sign-on. We can then dynamically add or modify an alias name in the DNS without changing the configuration for the application server.
We can optionally define the alias host name, but you are only required to define the real host name. The application server resolves the alias host name to real host name as the HTTP request is received.
- Turn on the Canonical support flag.
- From administration console, click Global security > Custom properties
- Add or modify the com.ibm.websphere.security.krb.canonical_host variable and set it to "true".
- Name
- com.ibm.websphere.security.krb.canonical_host
- Value
- true
Specify whether the application server uses the canonical form of the URL/HTTP host name in authenticating a client. If we set this custom property to false, a Kerberos ticket can contain a host name that differs from the HTTP host name header and the application server might issue the following message:
CWSPN0011E: An invalid SPNEGO token has been encountered while authenticating a HttpServletRequest
If we set this custom property to true, we can avoid this error message and allow the application server to authenticate using the canonical form of the URL/HTTP host name.
- Configure the browser. On the browser for the client machine, the alias host name needs to be configured as a trusted host.
- For Internet Explorer:
- Select Tools > Internet options.
- Select the Security tab.
- Click Local intranet > Sites > Advanced
- Add the alias host name in this panel.
- For Mozilla Firefox:
- Type About:config in the address bar and press ENTER to access configuration options.
- Locate the network.negotiate-auth.trusted-uris preference name, right-click on the preference, and select Modify. If we do not have this preference, right-click within the panel, and select New > string.
- Add alias host names in the text box, separating host names with a comma.
- Ensure that the real host name is added to the keytab file.
config: We can configure the keytab file in two ways:
- If com.ibm.websphere.security.krb.canonical_host is set to "true", the application server expects the real host name to be in the keytab files. Aliases are not necessary.
- If com.ibm.websphere.security.krb.canonical_host is set to false and aliases are defined, aliases need to be present in the keytab file.
Related tasks
Configure WebSphere Application Server and enabling the SPNEGO TAI (deprecated) Create a single sign-on for HTTP requests using the SPNEGO TAI (deprecated) Implement single sign-on to minimize web user authentications