Create the WebSEAL user in Active Directory

In order for constrained delegation to operate correctly, WebSEAL and the target service must be running as Active Directory (AD) users that have an assigned Service Principal Name (SPN).

The new WebSEAL user account SPN that is created in Active Directory is used in the WebSEAL configuration as the kerberos-principal-name. The target service user account SPN is used as the kerberos-service-name. For instructions about how to configure Windows for constrained delegation, see the Developer Works article IBM Tivoli Access Manager: WebSEAL Kerberos Junctions.

To create the WebSEAL user and the target service user, complete the following steps.

Steps

  1. Create and initialize the AD WebSEAL user.

    1. On the domain controller, select Start > Administrative Tools > Active Directory Users and Computers.

    2. Create a new user whose password never expires. For example, webseal.
    3. Prepare the new user so that it can be used as the WebSEAL identity through a key table file. We can use the ktpass command line utility provided as a part of the Windows support tools to do this. After the SPN has been set for the user, change the login name to reflect the SPN. For example: 

      • ktpass -out <Directory For Keytab> -princ HTTP/<WebSEALUser Name>@<AD DOMAIN NAME> \ 
-mapUser <WebSEAL UserName> -mapOp set -pass <Password> -pType KRB5_NT_PRINCIPAL

    4. ktpass -out C:\webseal.keytab -princ HTTP/webseal@AD_DOMAIN.COM 
-mapUser AD_DOMAIN\webseal -mapOp set -pass XXX -pType KRB5_NT_PRINCIPAL

      See Ktpass for more details.

  2. Create and initialize the AD target service user.

    1. On the domain controller, select Start > Administrative Tools > Active Directory Users and Computers.

    2. Create a new user whose password never expires. For example, targetservice.
    3. Prepare the new user so that it can execute as a Kerberos service. We can use the ktpass command line utility provided as a part of the Windows support tools to do this. After the SPN has been set for the user, change the login name to reflect the SPN. For example: 

      • ktpass -princ HTTP/<Target Server Name>.<DNS domain name>@<AD DOMAIN NAME> \
-mapuser <Target User Name> -mapOp set

    4. ktpass -princ HTTP/target_service.ad_domain.com@AD_DOMAIN.COM 
-mapUser AD_DOMAIN\target_service 
-mapOp set -pass XXX -pType KRB5_NT_PRINCIPAL

  3. By default, the security policy of the machine does not allow an AD user to execute a local service. We must change the setting so the new AD user is allowed to execute a local service.

    1. Select Start > Administrative Tools > Local Security Policy.

    2. In the Local Security Policy window, select Security Settings > Local Policies > User Rights Assignment.

    3. In the right panel, double-click Log on as a service.

    4. Click Add User or Group.

    5. Enter the new AD user's name and then click OK to include the user in this policy.

  4. Set the WebSEAL user to be trusted for delegation to the target service user.

    1. On the domain controller, select Start > Administrative Tools > Active Directory Users and Computers.
    2. Right-click the WebSEAL user.

    3. Click Properties.

    4. Select the Delegation tab.

    5. Select Trust this user for delegation to specified services only and Use any authentication protocol. For constrained delegation, Use Kerberos only cannot be used.

    6. Click Add.

    7. Click Users and Computers.
    8. Search for the target service user.

    9. Click OK.

    10. In the Add Services window, make sure the HTTP service is selected and then click OK.

    11. Click OK to save and exit the user properties.

    User accounts should also exist for the WebSEAL users that have permission to access the target service. These accounts do not require SPNs set-up with the ktpass tool.

Parent topic: Single sign-on using Kerberos constrained delegation