Create a single sign-on for HTTP requests using SPNEGO Web authentication
Create single sign-ons for HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication for WebSphere Application Server requires the performance of several distinct, yet related functions that when completed, allow HTTP users to log in and authenticate to the Microsoft domain controller only once at their desktop and to receive automatic authentication from the WAS.
In WAS v6.1, a trust association interceptor (TAI) that uses the SPNEGO to securely negotiate and authenticate HTTP requests for secured resources was introduced. This function was deprecated in WAS v7.0. SPNEGO web authentication has taken its place to provide the following enhancements:
- We can configure and enable SPNEGO web authentication and filters on the WAS server side using the administrative console.
- Dynamic reload of SPNEGO is provided without the need to stop and restart the WAS server.
- Fallback to an application login method is provided if the SPNEGO web authentication fails.
We can enable either SPNEGO TAI or SPNEGO Web Authentication but not both.
Read about Single sign-on for HTTP requests using SPNEGO web authentication for a better understanding of what SPNEGO Web Authentication is and how it is supported in this version of WAS.
Before starting this task, complete the following checklist:
- (Windows) A Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC).
- (Windows) A Microsoft Windows domain member (client) for example, a browser or Microsoft .NET client, that supports the SPNEGO authentication mechanism, as defined in IETF RFC 2478. Microsoft Internet Explorer v5.5 or later and Mozilla Firefox Version 1.0 qualify as such clients.
Important: A running domain controller and at least one client machine in that domain is required. Using SPNEGO directly from the domain controller is not supported.
- The domain member has users who can log on to the domain. Specifically, we need to have a functioning Microsoft Windows active directory domain that includes:
- Domain controller
- Client workstation
- Users who can login to the client workstation
- A server platform with WAS running and application security enabled.
- Users on the active directory must be able to access WAS protected resources using a native WAS authentication mechanism.
- The domain controller and the host of WAS should have the same local time.
- Ensure the clock on clients, Microsoft Active Directory and WAS are synchronized to within five minutes.
- Be aware that we must SPNEGO enable client browsers on the client machine. You do this task in the procedure when we configure the client application on the client application machine.
The objective of this machine arrangement is to permit users to successfully access WAS resources without having to authenticate again and thus achieve Microsoft Windows desktop single sign-on capability.
Configure the members of this environment to establish Microsoft Windows single sign-on involves specific activities that are performed on three distinct machines:
- A Microsoft Windows server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC).
- A Microsoft Windows domain member (client application), such as a browser or Microsoft .NET client.
- A server platform with WAS running.
Continue with the following steps to create a single sign-on for HTTP requests using SPNEGO Web authentication:
Tasks
- Create a Kerberos service principal (SPN) and keytab file on your Microsoft domain controller machine
- Configure your domain controller machine to create single sign-ons for HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication for WebSphere Application Server. Configure the Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC).Read the Configuring your domain controller machine to create single sign-ons for HTTP requests using SPNEGO article for more information.
- Create a Kerberos configuration file
- The IBM implementation of the Java Generic Security Service (JGSS) and KRB5 require a Kerberos configuration file (krb5.conf or krb5.ini) on each node or JVM. In this release of WAS, this configuration file should be placed in the config/cells/cell directory so that all application servers can access this file. If we do not have a Kerberos configuration file, use a wsadmin command to create one. Read the Creating a Kerberos configuration article for more information.
- Configure and enable SPNEGO web authentication using the administrative console on our WAS machine
- We can enable and configure the Simple and Protected GSS-API Negotiation (SPNEGO) as the web authenticator for the application server using the administrative console on the WAS machine. Read the Enable and configure SPNEGO web authentication using the administrative console article for more information.
- Configure the client application on the client application machine
- Client-side applications are responsible for generating the SPNEGO token. You begin this configuration process by configuring the web browser to use SPNEGO authentication. Read the Configuring the client browser to use SPNEGO article for more information.
- Create SPNEGO tokens for J2EE, .NET, Java, web service clients for HTTP requests (optional)
- Create a Simple and Protected GSS-API Negotiation (SPNEGO) token for the applications and insert this token into the HTTP headers to authenticate to the WAS. Read the Creating SPNEGO tokens for J2EE, .NET, Java, web service clients for HTTP requests article for more information.
Related:
Single sign-on for HTTP requests using SPNEGO web authentication Create a Kerberos service principal (SPN) and keytab file on your Microsoft domain controller machine Create a Kerberos configuration file Enable and configure SPNEGO web authentication Configure the client browser to use SPNEGO Create SPNEGO tokens for J2EE, .NET, Java, web service clients for HTTP requests Implement single sign-on to minimize web user authentications Create a Kerberos service principal name and keytab file Create a Kerberos service principal and keytab file used by the WAS SPNEGO TAI (deprecated) SPNEGO web authentication configuration commands SPNEGO web authentication filter commands SPNEGO troubleshooting tips