Mapping an Active Directory account to administrative roles
Map an account from Active Directory to administrative roles in IBM WebSphere Application Server.
This task is not required if you do not use Microsoft Active Directory.
Ensure you have configured IBM Connections to use Active Directory as the user directory. See Set up federated repositories.
Ensure you have configured WebSphere Application Server to use the Kerberos and LTPA authentication option. See Configure SPNEGO on WebSphere Application Server topic.
Select an Active Directory account to map to administrative roles in IBM WebSphere Application Server.
After enabling Kerberos and LTPA authentication in WebSphere Application Server, the default file-based repository no longer works and we can no longer log in to the WAS Integrated Solution Console using the wasadmin account. Any services that require authentication and that use the wasadmin ID no longer work. Consequently, some functions in Connections fail, including search indexing, notifications, and adding widgets.
To prevent such problems, we must map an account in Active Directory to the Connections administrative roles in IBM WebSphere Application Server.
To map the Active Directory account:
- Map an Active Directory account to administrative roles:
- Log in to the WAS Integrated Solution Console on the dmgr and go to...
Users and groups | Administrative user roles | Add | Admin Security Manager
- Enter the Active Directory account name in the Search string field and click Search.
- Select the account name in the Available column and click to add the account name to the Mapped to role column.
- Click OK.
- Click Add and select Administrator.
- Enter the Active Directory account name in the Search string field and click Search.
- Select the account name in the Available column and click to add the account name to the Mapped to role column.
- Click OK.
- Click Save.
- Change J2C authentication:
- Click...
Security | Bus security | ConnectionsBus | Additional Properties | Security | Users and groups in the bus connector role | New
- In the SIB Security Resource Wizard window, click Users, enter the Active Directory account in the Search pattern field, and click Next.
- Select the check box for the account name and click Next.
- If we are satisfied with the summary information, click Finish.
If we subsequently change the password for the Active Directory account that you map in this step, also change the password for the ConnectionsAdmin J2C alias.
- Update the messaging bus configuration.
Complete the steps in the Update the messaging bus configuration when the connectionsAdmin user ID changes topic.
- For each application, update the mapping for the dsx-admin, search-admin, and widget-admin Java EE roles, replacing the currently mapped user with the Activity Directory account. Go to the Switch to unique administrator IDs for system level communication.and complete Step 3.
- Modify the runtime user for the Search application:
- Click...
Applications | Application Types | WebSphere enterprise applications | Search | Details Properties | User RunAs Roles | Admin check box
- New user name and password.
- Click Apply.
If we subsequently change the password for the Active Directory account that you map in this step, also change the password for the ConnectionsAdmin J2C alias.
- (Only required if you use Windows services for starting or stopping IBM Connections) Edit the Windows services to use the Active Directory account instead of wasadmin to start and stop IBM Connections.
Parent topic:
Enable single sign-on for the Windows desktopNext topic: Create a service principal name and keytab file