WAS v8.5 > Secure applications > Authenticate users
Use Microsoft Active Directory for authentication
WebSphere Application Server supports the Microsoft Active Directory. Many installations use the Microsoft Active Directory as their primary component for managing user authentication and user data. Authenticating a user across multiple repositories or across a distributed LDAP, such as a Microsoft Active Directory forest can be challenging. In any search of the whole registry, if there is more than one match at run time, authentication fails because ambiguous matches result.
User IDs are guaranteed to be unique within a single domain, but there is no automatic guarantee that a given user ID is unique across a tree or a forest. The following figure exemplifies the condition of a given user ID not being unique across a tree or forest.
Figure 1. Forest search strategy.. Search illustration of a non-unique sAMAccountName across the entire forest.
Authenticating users across trees or forests can be a difficult task and the following steps should be performed.
Note: You must ensure the Microsoft Windows Computer
Browser Service is enabled in your operating system when the following conditions are true:
- Your primary domain is managed by Microsoft Active Directory.
- The Primary Domain Controller (PDC) exists in a different subnet from WAS.
- You set the user registry for WAS to local OS and not LDAP.
For more information on how to set and verify the Microsoft Windows Computer Browser Service is enabled, see the Microsoft documentation for the operating system.
- Analyze the Microsoft Active Directory construct that defines your installation. Your
analysis can conclude with the following forms:
- Single LDAP registry - Simple configuration.
- Federated repository (a forest )- Typical configuration.
- Merger of federated repositories (a merger of trees into a forest )- Less typical configuration
- Combination of user and group forests - Rare configuration
- Develop strategies for user look up that match your Microsoft Active Directory installation. Remember that user IDs are guaranteed to be unique within a single domain, but there is no automatic guarantee that a given user ID is unique across a tree or a forest.
- Evaluate with testing to ensure that your authentication search strategies successfully authenticate users in your Microsoft Active Directory installation.
Results
You will be in the position to authenticate users with LDAP registries in a Microsoft Active Directory forest.
When you select any of these scenarios, consult appropriate Microsoft Active Directory information to completely understand any implications the scenarios might have on your configuation planning.
Subtopics
- Authentication using Microsoft Active Directory
Many installations use the Microsoft Active Directory as their primary component for managing user authentication and user data. One portion of the Microsoft Active Directory provides a LDAP service. WAS supports LDAP and, therefore, WAS supports the Microsoft Active Directory. - Groups spanning domains with Microsoft Active Directory
The domains and forests functional levels of the Microsoft Active Directory control which configurations are available for use. How you configure Microsoft Active Directory affects how group membership is determined within WAS. Using groups to configure your Microsoft Active Directory installation with the product allows flexible management. - Microsoft Active Directory Global Catalog
A Global Catalog is a Global Catalog Server. A Global Catalog holds a full set of attributes for the domain in which it resides and a subset of attributes for all objects in the Microsoft Active Directory Forest. The primary two functions of a Global Catalog within the Microsoft Active Directory are logon capability and Microsoft Active Directory queries. - Options for finding group membership within a Microsoft Active Directory forest
Locating and finding group membership with the Microsoft Active Directory forest is necessary for authenticating users. There are several ways to approach finding group membership within the Microsoft Active Directory forest. - Authenticate users with LDAP registries in a Microsoft Active Directory forest
Authenticating a user across multiple repositories, or across a distributed LDAP repository, such as a Microsoft Active Directory forest can be challenging. In any search of the whole user registry, if there is more than one match at run time, authentication fails because of ambiguous match results. - Authentication using Microsoft Active Directory
Many installations use the Microsoft Active Directory as their primary component for managing user authentication and user data. One portion of the Microsoft Active Directory provides a LDAP service. WAS supports LDAP and, therefore, WAS supports the Microsoft Active Directory. - Groups spanning domains with Microsoft Active Directory
The domains and forests functional levels of the Microsoft Active Directory control which configurations are available for use. How you configure Microsoft Active Directory affects how group membership is determined within WAS. Using groups to configure your Microsoft Active Directory installation with the product allows flexible management. - Microsoft Active Directory Global Catalog
A Global Catalog is a Global Catalog Server. A Global Catalog holds a full set of attributes for the domain in which it resides and a subset of attributes for all objects in the Microsoft Active Directory Forest. The primary two functions of a Global Catalog within the Microsoft Active Directory are logon capability and Microsoft Active Directory queries. - Options for finding group membership within a Microsoft Active Directory forest
Locating and finding group membership with the Microsoft Active Directory forest is necessary for authenticating users. There are several ways to approach finding group membership within the Microsoft Active Directory forest. - Authenticate users with LDAP registries in a Microsoft Active Directory forest
Authenticating a user across multiple repositories, or across a distributed LDAP repository, such as a Microsoft Active Directory forest can be challenging. In any search of the whole user registry, if there is more than one match at run time, authentication fails because of ambiguous match results.
Related
Authenticate users
Locating user group memberships in a LDAP registry