Enable single sign-on for the Windows desktop
Configure IBM Connections to use the Kerberos authentication mechanism. This single sign-on configuration permits users to sign in to the Windows desktop and then automatically authenticate with IBM Connections without needing to sign in again.
Before starting
Install IBM Connections on a system that uses Microsoft Active Directory as the LDAP directory.Install the following WAS interim fixes:
- PM19604. "SPNEGO web authentication always interacts with theSPNEGO interceptor even though URLs are not protected." See note 1
- PM21308. "CWSIT0034E and CWSIT0110E caused by SECJ9314E exception in Service Integration Bus." See note 2
- PM30108. "Cannot forward. Response already committed on SPNEGO system." See note 3
Note 1: This iFix is already included in WAS version 7.0.0.13, and therefore also included in 7.0.0.15. If you already are on level 7.0.0.15, there is no need to install this iFix.
Note 2: This iFix is already included in WAS version 7.0.0.15. If you already are on level 7.0.0.15, there is no need to install this iFix.Note 3: This iFix is valid for WAS version 7.0.0.11. If you already are on level 7.0.0.15, there is no need to install this iFix.
Verify that IBM Connections works as expected without the Kerberos authentication protocol.
Install Kerberos. For more information, go to the Kerberos (KRB5) authentication mechanism support for security.
Note: If you are using on-ramp plug-ins or mobile services, your data traffic is not authenticated by Kerberos tickets or SPNEGO tokens. It is instead authenticated through J2EE form-based authentication.
Create a user account in the LDAP directory and add it to the WAS administrators group.
About this task
The Kerberos authentication protocol uses strong cryptography which enables a client to prove its identity to a server across an insecure network connection. After the client and server have proven their identity, the authentication protocol encrypts all data that the client and server exchange. Kerberos uses the SPNEGO mechanism to negotiate the security authentication.To configure IBM Connections to use the Kerberos authentication protocol, complete the following tasks:
1. Mapping an Active Directory account to administrative roles
Map an account from Microsoft Active Directory to administrative roles in IBM WAS.2. Create a service principal name and keytab file
Create a service account in Microsoft Active Directory to support a service principal name (SPN) for IBM Connections, and then create a keytab file that the Kerberos authentication service can use to establish trust with the web browser.3. Create a redirect page for users without SPNEGO support
Create an HTML page to redirect users whose web browsers do not support SPNEGO.4. Configure Kerberos and SPNEGO
Configure Kerberos and SPNEGO on IBM WAS V7.0.5. Configure the backend authenticator
Configure the backend authenticator on IBM Connections.6. Configure SPNEGO on IBM HTTP Server
Configure and enable SPNEGO on IBM HTTP Server.7. Configure web browsers to support Kerberos
Configure your web browser to support Kerberos authentication.
Parent topic
Configure single sign-onRelated reference
IBM Connections system requirements