Support SPNEGO in the web application bridge

The web application bridge supports the Simple and Protected GSS-API Negotiation (SPNEGO) as the web authenticator for the application server. SPNEGO support relies on the scenario where IBM WebSphere Application Server is already configured for SPNEGO web authentication.

The following prerequisite are required for this scenario:

• You installed IBM WebSphere Portal on a Windows operating system.

• You are using Microsoft Active Directory as your LDAP user registry.

• SPNEGO is already enabled on WAS.

Support SPNEGO in the web application bridge:

1. Enter the user ID and password on the client workstation to login to the Windows domain.

2. Retrieve the ticket granting ticket (TGTthat the Active Directory server (KDC specifically) issues for the Windows domain.

3. Access WebSphere Portal through a browser either on the local Windows domain or on a trusted remote Windows domain.

4. Choose one of the following options to configure the browser:

   Option	Description
   Firefox	To configure your Firefox browser: Type about:config in the address bar. Type auth in the Filter field. Set the following two items to the SSO domain: network.negotiate-auth.delegation-uris network.negotiate-auth.trusted-uris
   Internet Explorer	To configure the Internet Explorer browser: Navigate to Tools > Internet options. Select the Security tab. Select Local intranet. Click Sites. Add the SSO domain. Select the Advanced tab. Verify that the Enable Integrated Windows Authentication checkbox is checked. Click OK. Restart Internet Explorer for the changes to take effect.

5. Retrieve the following HTTP challenge header from WAS: 401 containing the Authenticate: Negotiate status to the browser.

6. Ensure that the browser parses the initially requested URL for the host name to construct a Kerberos Service Principal Name (SPN).

7. Ensure that the client requests a Kerberos service ticket from the Active Directory server, TGS specifically.

8. Retrieve the client identity and access permission from the service ticket.

9. Ensure that the browser sends an Authentication HTTP header with the SPNEGO token to WAS.

10. Ensure that the WAS SPNEGO Web authentication module parses the SPNEGO token and validates the user identity against the Active Directory server.

11. Ensure that WAS sends an HTTP 200 status code with an LTPAToken used for further session management.

12. To set up delegation:

    1. Open the Active Directory server user properties window.

    2. Select the Trust this user for delegation to any service (Kerberos only) option under the Delegation tab for the Active Directory server user ID that the application uses.

       This option is not set for the individual client users. It is only set for the application server ID.

    3. Click OK.

    4. Open the Windows system properties window.

    5. Select the Account tab.

    6. Check the Account is trusted for delegation checkbox.

    7. Click OK.

Parent: The web application bridge