Configure the client browser to use SPNEGO
We can configure the browser to utilize the Simple and Protected GSS-API Negotiation (SPNEGO) mechanism.
You need to know how to display and set options in the Internet Explorer browser or any other browser (such as Firefox). We must have a browser installed that supports SPNEGO authentication.
Complete the following steps to ensure that the Internet Explorer browser is enabled to perform SPNEGO authentication.
- At the desktop, log in to the windows active directory domain.
- Activate Internet Explorer.
- In the Internet Explorer window, click Tools > Internet Options > Security tab.
- Select the Local intranet icon and click Sites.
- In the Local intranet window, ensure that the "check box" to include all local (intranet) not listed in other zones is selected, then click Advanced.
- In the Local intranet window, fill in the Add this web site to the zone field with the web address of the host name so that the single sign-on (SSO) can be enabled for the list of websites shown in the websites field. Your site information technology staff provides this information. Click OK to complete this step and close the Local intranet window.
- On the Internet Options window, click the Advanced tab and scroll to Security settings. Ensure that the Enable Integrated Windows Authentication (requires restart) box is selected.
- Click OK. Restart the Internet Explorer to activate this configuration.
Complete the following steps to ensure that the Firefox browser is enabled to perform SPNEGO authentication.
- At the desktop, log in to the windows active directory domain.
- Activate Firefox.
- At the address field, type about:config.
- In the Filter, type network.n
- Double click on network.negotiate-auth.trusted-uris. This preference lists the sites that are permitted to engage in SPNEGO Authentication with the browser. Enter a comma-delimited list of trusted domains or URLs.
Set the value for network.negotiate-auth.trusted-uris.
- If the deployed SPNEGO solution is using the advanced Kerberos feature of Credential Delegation double click on network.negotiate-auth.delegation-uris. This preference lists the sites for which the browser may delegate user authorization to the server. Enter a comma-delimited list of trusted domains or URLs.
- Click OK. The configuration appears as updated.
- Restart the Firefox browser to activate this configuration.
Results
Your Internet browser is properly configured for SPNEGO authentication. We can use applications that are deployed in WAS that use secured resources without being repeatedly requested for a user ID and password.
If we are prompted multiple times for a user ID and password, make sure that you enabled SPNEGO support on the client browser per the previous instructions. We must also verify the Allow fall back to application authentication mechanism support option is enabled on the WAS server side.
Related tasks
Create a single sign-on for HTTP requests using SPNEGO Web authentication Create a Kerberos service principal (SPN) and keytab file on the Microsoft domain controller machine Create SPNEGO tokens for J2EE, .NET, Java, web service clients for HTTP requests Create a Kerberos service principal name and keytab file Add SPNEGO web authentication filters using the administrative console
SPNEGO web authentication configuration commands SPNEGO web authentication filter commands SPNEGO web authentication enablement SPNEGO web authentication filter values