Configure Kerberos authentication with an external Kerberos Authenticator

We can achieve Windows desktop single signon by configuring a Kerberos Authenticator to authenticate clients on behalf of the appliance.

We can configure a junctioned web server to complete the actual authentication and return the authenticated identity to the appliance.

Figure 1. External Kerberos authentication
Configuring Windows desktop single signon for the IBM Security Web Gateway appliance

Complete the following steps to configure an external Kerberos Authenticator to do the authentication on behalf of the appliance. An example is provided for each step. Collectively, these examples describe one possible configuration that supports Windows desktop single signon.

Steps

  1. Install the Policy Server and configure its user registry. For example, Active Directory.
  2. Configure a web server that supports Kerberos Authentication. This web server is the Kerberos Authenticator. For example, install WebSEAL on the domain controller and configure Kerberos authentication.

    See Windows desktop single sign-on.

  3. Configure the External Authentication Interface (EAI) application on the Kerberos Authenticator. For example, create a simple Common Gateway Interface (CGI) to act as the EAI. This CGI creates an EAI response, setting the am-eai-user-id header field as the name of the authenticated user.

    We can now verify the configuration of the Kerberos Authenticator. Add a Windows client to the domain. Verify that Windows desktop single signon occurs when you access the WebSEAL server from this client.

    We can install a network protocol analyzer, such as Wireshark, on the domain controller to monitor and validate the network traffic.

  4. Configure WebSEAL on the appliance to use the external Kerberos Authenticator for authentication. For example, follow these steps:

    1. Create a junction to the Kerberos authenticator.
    2. Configure the CGI script as an EAI application.

    3. Set the strip-www-authenticate-headers configuration entry to no.

      If the strip-www-authenticate-headers configuration entry is set to yes, WebSEAL removes the Negotiate www-authenticate and NTLM www-authenticate headers from junctioned server responses. Therefore, we must set the value to no to keep these www-authenticate headers in the junctioned server responses.

      For more information about this configuration entry, see the Reference information in the IBM Knowledge Center.

    We now verify that Windows desktop single signon is available on the appliance.

    Send a request from the Windows client, through the WebSEAL server on the appliance, to the EAI application. Single signon occurs. That is, the user can access the WebSEAL server on the appliance as an authenticated user. Again, we can use a network protocol analyzer to monitor and validate the network traffic.

Parent topic: Kerberos authentication through an External Authentication Interface (EAI)