WAS v8.5 > Secure applications > Authenticate users > Implement single sign-on to minimize web user authenticationsCreate a single sign-on for HTTP requests using SPNEGO Web authentication
Creating SSO for HTTP requests using the SPNEGO web authentication for WAS allows HTTP users to log in, and authenticate to, the Microsoft domain controller only once at their desktop, and receive automatic authentication from the WAS.
Before starting this task have...
- A Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC).
- A Microsoft Windows domain member (client) for example, a browser or Microsoft .NET client, that supports the SPNEGO authentication mechanism, as defined in IETF RFC 2478. Microsoft Internet Explorer v5.5 or later and Mozilla Firefox v1.0 qualify as such clients.
A running domain controller and at least one client machine in that domain is required. Using SPNEGO directly from the domain controller is not supported.
- The domain member has users who can log on to the domain. The active directory domain should includes:
- Domain controller
- Client workstation
- Users who can login to the client workstation
- A server platform with WAS running and application security enabled.
- Users on the active directory must be able to access WAS protected resources using a native WAS authentication mechanism.
- The domain controller and the host of WAS should have the same local time.
- Ensure the clock on clients, Microsoft Active Directory and WAS are synchronized to within five minutes.
- Be aware that client browsers must be SPNEGO enabled, which you perform on the client application machine (with details explained in procedure 4, "Configure the client application on the client application machine").
The objective of this machine arrangement is to permit users to successfully access WAS resources without having to authenticate again and thus achieve Microsoft Windows desktop single sign-on capability.
Configuring the members of this environment to establish Microsoft Windows single sign-on involves specific activities that are performed on three distinct machines:
- A Microsoft Windows server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC).
- A Microsoft Windows domain member (client application), such as a browser or Microsoft .NET client.
- A server platform with WAS running.
Procedure
- Create a Kerberos service principal (SPN) and keytab file on your Microsoft domain controller machine
Configure the domain controller machine to create single sign-ons for HTTP requests using SPNEGO web authentication for WebSphere Application Server. Configure the Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC).
- Create a Kerberos configuration file
The IBM implementation of JGSS and KRB5 require a Kerberos configuration file (krb5.conf or krb5.ini) on each node or JVM. In this release of WAS, this configuration file should be placed in...
config/cells/cell_name
...so that all application servers can access this file. If we do not have a Kerberos configuration file, use a wsadmin command to create one.
- Configure and enable SPNEGO web authentication using the dmgr console on your WAS machine
We can enable and configure SPNEGO as the web authenticator for the application server using the dmgr console on the WAS machine.
- Configure the client application on the client application machine
Client-side applications are responsible for generating the SPNEGO token. You begin this configuration process by configuring the web browser to use SPNEGO authentication.
- Create SPNEGO tokens for J2EE, .NET, Java, web service clients for HTTP requests (optional)
We can create a SPNEGO token for the applications and insert this token into the HTTP headers to authenticate to the WAS.
Related
Single sign-on for HTTP requests using SPNEGO web authentication
Create a Kerberos service principal name and keytab file
Create a Kerberos service principal and keytab file used by the WAS SPNEGO TAI (deprecated)
SPNEGO web authentication configuration commands
SPNEGO web authentication filter commands
SPNEGO troubleshooting tips
System Requirements for WAS