Create a single sign-on for HTTP requests using the SPNEGO TAI (deprecated)
Create single sign-ons for HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WebSphere Application Server requires the performance of several distinct, yet related functions that when completed, allow HTTP users to log in and authenticate only once at their desktop and receive automatic authentication from the WAS.
Deprecated feature:
In WAS v6.1, a trust association interceptor (TAI) that uses the SPNEGO to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WAS 7.0, this function was deprecated. SPNEGO web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method.
depfeatBefore starting this task, complete the following checklist:
- (Windows) A Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC).
- (Windows) A Microsoft Windows domain member (client) for example,
a browser or Microsoft .NET client, that supports the SPNEGO authentication mechanism, as defined in IETF RFC
2478. Microsoft Internet Explorer v5.5
or later and Mozilla Firefox Version 1.0 qualify as such clients.
Important: A running domain controller and at least one client machine in that domain is required. Trying to use SPNEGO directly from the domain controller is not supported
- The domain member has users who can log on to the domain.
Specifically, we need to have a functioning Microsoft Windows active directory domain that includes:
- Domain controller
- Client workstation
- Users who can login to the client workstation
- A server platform with WAS running and application security enabled.
- Users on the active directory must be able to access WAS protected resources using a native WAS authentication mechanism.
- The domain controller and the host of WAS should have the same local time.
- Ensure the clock on clients, Microsoft Active Directory and WAS are synchronized to within five minutes.
- Be aware that client browsers have to be SPNEGO enabled, which we perform on the client application machine (with details explained in step 2 of this task).
The objective of this machine arrangement is to permit users to successfully access WAS resources without having to reauthenticate and thus achieve Microsoft Windows desktop single sign-on capability.
Configure the members of this environment to establish Microsoft Windows single sign-on involves specific activities that are performed on three distinct machines:
- Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC)
- A Microsoft Windows domain member (client application), such as a browser or Microsoft .NET client.
- A server platform with WAS running.
Perform the following steps on the indicated machines to create single sign-on for HTTP requests using SPNEGO
Tasks
- Domain Controller Machine - Configure the Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos
Key Distribution Center (KDC) This configuration activity
has the following steps:
- Create a user account for the WAS in a Microsoft Active Directory. This account will be eventually mapped to the Kerberos service principal name (SPN).
- On the Microsoft Active Directory machine where the Kerberos key distribution center (KDC) is active, map the user account to the Kerberos service principal name (SPN). This user account represents the WAS as being a Kerberize'd service with the KDC. Use the setspn command to map the Kerberos service principal name to a Microsoft user account. The topic, Create a Kerberos service principal and keytab file used by the WAS SPNEGO TAI (deprecated) has more details about using the setspn command.
- Create the Kerberos keytab file and make it available to WAS. Use the ktpass tool
to create the Kerberos keytab file (krb5.keytab).
The topic, Create a Kerberos service principal and keytab file used by the WAS SPNEGO TAI (deprecated) has
more details about using the ktpass command. to create the keytab file.
You make the keytab file available to WAS by copying the krb5.keytab file from the Domain Controller (LDAP machine) to the WAS machine. See Use the ktab command to manage the Kerberos keytab file for more details.
Important: Your domain controller operations must lead to the following results:
- A user account is created in the Microsoft Active Directory and mapped to a Kerberos service principal name.
- A Kerberos keytab file (krb5.keytab) is created and made available to the WAS. The Kerberos keytab file contains the Kerberos service principal keys WAS uses to authenticate the user in the Microsoft Active Directory and the Kerberos account.
- Client Application Machine - Configure the client application. Client-side applications are responsible for generating the SPNEGO token for use by the SPNEGO TAI. You begin this configuration process by configuring the web browser to use SPNEGO authentication. See Configure the client browser to use SPNEGO TAI (deprecated) for the detailed steps required for our browser.
- WAS Machine -
Configure and enable the Application Server and the associated SPNEGO
TAI by performing the following tasks:
- Ensure that LTPA is enabled. See Configure the LTPA mechanism for more details.
- Enable the SPNEGO TAI. See Configure WAS and enabling the SPNEGO TAI (deprecated) for more details.
- Create SPNEGO TAI properties using either the wsadmin command task or the administrative console.
- For using the wsadmin command task, see
- For using the administrative console, see Configure WAS and enabling the SPNEGO TAI (deprecated) for more details.
- For using the wsadmin command task, see
- Configure JVM properties and enable the SPNEGO TAI in Application Server in which it is defined. See Configure JVM custom properties, filtering HTTP requests, and enabling SPNEGO TAI in WAS (deprecated) or Enable the SPNEGO TAI as JVM custom property using scripting (deprecated) for more details.
- Install the Kerberos keytab file (created in step 1) on the WAS machine. Create a Kerberos service principal and keytab file used by the WAS SPNEGO TAI (deprecated) provides the details.
- Create a basic Kerberos configuration file (krb5.ini or krb5.conf). See The Kerberos configuration file for details.
- Map the client Kerberos principal name to the WebSphere user registry ID, but only if the WAS does not use Micorsoft Active Directory. See Mapping Kerberos client principal name to WebSphere user registry ID for SPNEGO TAI (deprecated) for more details.
- Optional: Use a remote HTTP server -
To use a remote server, complete the following steps, which
assume that we have already configured the JVM properties and enabled
the SPNEGO TAI in the Application Server in which it is defined (as
described in the previous three steps).
- Complete the steps in Create a Kerberos service principal and keytab file used by the WAS SPNEGO TAI (deprecated) for the remote proxy server.
- Merge the previous keytab file created in step 1 with the keytab file created in step 4a. See Use the ktab command to manage the Kerberos keytab file for more information.
- Create the SPN for the remote proxy server using the addSpnegoTAIProperties wsadmin command task. See SpnegoTAICommands group for the AdminTask object (deprecated).
- Restart the WAS.
Subtopics
- Single sign-on for HTTP requests using SPNEGO TAI (deprecated)
WAS provides a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources in WAS. - (iSeries) (ZOS) (Dist) Create a Kerberos service principal and keytab file used by the WAS SPNEGO TAI (deprecated)
We perform this configuration task on the Microsoft Active Directory domain controller machine. This task is a necessary part of preparing to process single sign on browser requests to WAS and thee SPNEGO trust association interceptor (TAI). - (iSeries) (ZOS) (Dist) Configure WAS and enabling the SPNEGO TAI (deprecated)
Performing this task helps you, as web administrator, to ensure that WAS is properly configured to enable the operation of the Simple and Protected GSS-API Negotiation (SPNEGO) trust association interceptor (TAI). - (iSeries) (ZOS) (Dist) Configure the client browser to use SPNEGO TAI (deprecated)
We can configure your browser to utilize the Simple and Protected GSS-API Negotiation (SPNEGO) mechanism. Authentication of our browser requests are processed by the SPNEGO trust association interceptor (TAI) in the WAS. - (iSeries) (ZOS) (Dist) Configure JVM custom properties, filtering HTTP requests, and enabling SPNEGO TAI in WAS (deprecated)
Performing this task helps you, as web administrator, to ensure that WAS is configured to enable the operation of the Simple and Protected GSS-API Negotiation mechanism (SPNEGO) trust association interceptor (TAI) with the required Java virtual machine (JVM) property and with the appropriate filtering of HTTP requests. - (iSeries) (ZOS) (Dist) Mapping Kerberos client principal name to WebSphere user registry ID for SPNEGO TAI (deprecated)
Use a system programming interface to customize the behavior of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) by implementing arbitrary mappings of the end-user's identity, which is retrieved from Microsoft Active Directory to the identity used in the WAS security registry. - Single sign-on capability with SPNEGO TAI - checklist (deprecated)
WAS provides a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources in WAS. To deploy and use the SPNEGO TAI we need to examine your installation and decide on how best to configure the SPNEGO TAI. - (iSeries) (ZOS) (Dist) Filtering HTTP requests for SPNEGO TAI (deprecated)
Use a system programming interface to customize the behavior of the SPNEGO trust association interceptor (TAI) by specifying whether or not a particular HTTP request should be intercepted.