+

Search Tips   |   Advanced Search

 

Configure WAS environment to use SPNEGO

 

The objective of the Web administrator is to configure and administer the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) in WAS to provide users who successfully authenticated in a Microsoft Active Directory domain with a single sign-on capability. The administrator specifies additional criteria that selects what Web transactions to authenticate in the single sign-on environment. Verify that the Web browser is configured to use the SPNEGO authentication mechanism. Configure the Web browser to use SPNEGO describes what the user needs to do to configure the Web browser.

 

Overview

The Web administrator configures and enables the SPNEGO TAI. The process to configure and enable the SPNEGO TAI operation in WebSphere Application Server requires some tasks that use tools not supplied by WebSphere Application Server. Refer to those appropriate documents that describe these tasks and tools. These documents are supplied by the appropriate supplier.

 

Procedure

  1. Create a user account in a Microsoft Active Directory. This account will be mapped to the Kerberos service principal name (SPN).

  2. On the Microsoft Active Directory where the Kerberos key distribution center (KDC) is active, map the user account to the Kerberos service principal name (SPN). This user account represents the WAS as being a Kerberize'd service with the KDC. Use the setspn tool to establish WAS as the user. This user account is not the account name of the user. More information about the setspn tool can be found here, Windows 2003 Technical Reference (setspn command)

  3. On the Microsoft Active Directory where the Kerberos key distribution center (KDC) is active, create the Kerberos keytab file and make it available to WAS. Use the ktpass tool to create the Kerberos keytab file (krb5.keytab). Windows 2003 Technical Reference (Kerberos keytab file and ktpass command) provides more information on creating the Kerberos keytab file.

  4. Configure and enable the appserver and the associated SPNEGO TAI using the console or using the wsadmin command to perform command tasks. See Configure SPNEGO TAI in WAS.

  5. Select Lightweight Third-Party Authentication (LTPA) as the authentication mechanism. See Configure the LTPA mechanism.

  6. Install the Kerberos keytab file (krb5.keytab). That is, copy the krb5.keytab file (created in step 3) from the LDAP machine to the WAS machine.

  7. Update the associated Kerberos configuration (krb5.conf ).

  8. Configure JVM properties and enable SPNEGO TAI in each appserver in which it is defined. See Configure JVM properties and enabling SPNEGO TAI in WebSphere Application Server.

 

Results

WAS is configured to use the SPNEGO TAI.


Configure the Kerberos configuration properties

Creating the Kerberos keytab file

Configure SPNEGO TAI in WAS

Configure JVM properties and enabling SPNEGO TAI in WebSphere Application Server

Mapping user Ids from client to server for SPNEGO

Filtering HTTP requests for SPNEGO TAI

Kerberos configuration requirements for SPNEGO TAI

 

Related concepts


Single sign-on for HTTP requests using SPNEGO

 

Related tasks


Configure single sign-on capability with SPNEGO TAI

 

Related information


Windows 2000 Active Directory
Windows 2003 Active Directory
Windows 2003 Technical Reference