Create an identity for WebSEAL in an Active Directory domain

To participate in a Kerberos exchange with a browser, a WebSEAL server needs an identity in the Active Directory Kerberos domain.

Create the identity, and copying the keytab to the WebSEAL server on UNIX, provides a similar function as joining a Windows system to an Active Directory domain. The browser can then obtain a Kerberos ticket from the Active Directory domain controller and use the ticket to access the WebSEAL server.

These instructions assume the user name is the shortened DNS name that clients use to contact the WebSEAL server. For example, if clients contact the WebSEAL server at https://diamond.example.com, the WebSEAL server principal in Active Directory would have a user name of diamond. However, any identifying name can be used.

Steps

  1. See the appropriate Microsoft documentation for instructions on how to add a WebSEAL server host identity into an Active Directory domain.

    Follow these conditions:

    • Match the user name with the host name that clients use to contact the WebSEAL server. Do not use the full domain name. For example, for the website, diamond.example.com, create a user, diamond.

      • Do not require the user to change password at next login.
      • Do not set the password to expire.

    • Configure DNS properly for the host name that clients use to contact the WebSEAL server.

    • To confirm the configuration is correct, run forward and reverse nslookup for that host name on each of the following systems: the client, the WebSEAL server, and the Active Directory domain controller.
    • The account must not be set to use DES ciphers.

    • If you intend to use AES encryption for tickets and keys that are placed in the keytab, modify the following user account properties to enable it:

      • This account supports Kerberos AES 128 bit encryption
      • This account supports Kerberos AES 256 bit encryption

    • Multiple WebSEAL instances are supported by SPNEGO when each WebSEAL server has a unique IP address and host name. Multiple instances are not supported when the instances listen on different ports but share IP addresses.

  2. Optional: This step is only relevant if we use multiple WebSEAL instances or virtual host junctions. To configure SPNEGO for multiple WebSEAL servers on the same system, we must create a separate user in Active Directory for each instance. Similarly, if we use virtual host junctions, create a separate user for each virtual host junction.

    For example, if the WebSEAL server is serving requests for the host names www.example.com, sales.example.com, and eng.example.com, we must create three users in Active Directory, one for each DNS name.

Parent topic: Configure Windows desktop single sign-on