You must create a Kerberos service principal name (SPN)
and keytab file on your Microsoft domain controller machine to support
HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism
(SPNEGO) web authentication for WebSphere® Application Server.
Before you begin
Configure the Microsoft Windows Server running the Active
Directory Domain Controller and associated Kerberos Key Distribution
Center (KDC).
For information on the supported Microsoft Windows
Servers, see the System Requirements for WebSphere Application Server Version 8.5 on Windows.
Procedure
- Create a user account for the WebSphere® Application Server in a Microsoft Active Directory.
This account is eventually mapped to the Kerberos service principal
name (SPN).
- On the Microsoft Active
Directory machine where the Kerberos key distribution center (KDC)
is active, map the user account to the Kerberos service principal
name (SPN).
This user account represents the WebSphere Application Server as being a
Kerberos service with the KDC. Use the Microsoft setspn command to map
the Kerberos service principal name to a Microsoft user account.
- Create the Kerberos keytab file and make it available to WebSphere Application Server.
Use the Microsoft ktpass tool
to create the Kerberos keytab file (krb5.keytab).
To
make the keytab file available to WebSphere Application
Server, copy the krb5.keytab file from the Domain
Controller (LDAP machine) to the WebSphere Application
Server machine. Read about Creating a Kerberos service principal name and keytab file for more information.
Results
The product can use the Kerberos keytab file that contains
the Kerberos service principal keys to authenticate the user in the Microsoft Active Directory
and the Kerberos account.