Create a Kerberos service principal (SPN) and keytab file on your Microsoft domain controller machine

WAS v8.5 > Secure applications > Authenticate users > Implement single sign-on to minimize web user authentications > Create a single sign-on for HTTP requests using SPNEGO Web authentication > Step 1. Create a Kerberos service principal (SPN) and keytab file on your Microsoft domain controller machine
Create a Kerberos service principal (SPN) and keytab file on your Microsoft domain controller machine

You must create a Kerberos service principal name (SPN) and keytab file on your Microsoft domain controller machine to support HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication for WebSphere Application Server.

Configure the Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC).
For information on the supported Microsoft Windows Servers, see the System Requirements for WAS v8.5 on Windows.

Create a user account for the WebSphere Application Server in a Microsoft Active Directory. This account is eventually mapped to the Kerberos service principal name (SPN).
On the Microsoft Active Directory machine where the Kerberos key distribution center (KDC) is active, map the user account to the Kerberos service principal name (SPN). This user account represents the WAS as being a Kerberos service with the KDC. Use the Microsoft setspn command to map the Kerberos service principal name to a Microsoft user account.
Create the Kerberos keytab file and make it available to WAS.
Use the Microsoft ktpass tool to create the Kerberos keytab file (krb5.keytab).
To make the keytab file available to WAS, copy the krb5.keytab file from the Domain Controller (LDAP machine) to the WAS machine. Read about Create a Kerberos service principal name and keytab file for more information.

Results

WAS v8.5 can use the Kerberos keytab file containing the Kerberos service principal keys to authenticate the user in the Microsoft Active Directory and the Kerberos account.

Subtopics

Add or modifying SPNEGO web authentication filters
The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) filter values control different aspects of SPNEGO. We can specify different filter values for each application server using the dmgr console.
SPNEGO web authentication enablement
We can enable the Simple and Protected GSS-API Negotiation (SPNEGO) as the web authenticator for WAS.
SPNEGO web authentication filter values
The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication filter values control different aspects of SPNEGO. Use this page to specify different filter values for each application server.

Related

Create a single sign-on for HTTP requests using SPNEGO Web authentication
Create a Kerberos service principal name and keytab file
Configure Kerberos as the authentication mechanism

Reference:

Common Secure Interoperability v2 inbound communications settings
Common Secure Interoperability v2 outbound communications settings
SPNEGO web authentication configuration commands
SPNEGO web authentication filter commands

Related information:

System Requirements for WAS

+
Search Tips | Advanced Search