Creating a single sign-on for HTTP requests using SPNEGO Web authentication

Creating single sign-on (SSO) for HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication for WebSphere® Application Server requires the performance of several distinct, yet related functions that when completed, allow HTTP users to log in and authenticate to the Microsoft domain controller only once at their desktop and to receive automatic authentication from the WebSphere Application Server.

Before you begin

Important:
  • SPNEGO SSO is also known as Integrated Windows Authentication (IWA) for Windows platform.
  • WebSphere Application Server supports SPNEGO for IWA but not Kerberos and NT LAN Manager (NTLM).
  • In WebSphere Application Server Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. This function was deprecated in WebSphere Application Server Version 7.0. SPNEGO web authentication has taken its place to provide the following enhancements:
    • You can configure and enable SPNEGO web authentication and filters on the WebSphere Application Server server side by using the administrative console.
    • Dynamic reload of SPNEGO is provided without the need to stop and restart the WebSphere Application Server server.
    • Fallback to an application login method is provided if the SPNEGO web authentication fails.

    You can enable either SPNEGO TAI or SPNEGO Web Authentication but not both.

Read about SPNEGO single sign-on for a better understanding of what SPNEGO Web Authentication is and how it is supported in this version of WebSphere Application Server.

Before starting this task, complete the following checklist:

  • [Windows]A Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC). For information on the supported Microsoft Windows Servers, see the System Requirements for WebSphere Application Server Version 8.5 on Windows.
  • [Windows]A Microsoft Windows domain member (client) for example, a browser or Microsoft .NET client, that supports the SPNEGO authentication mechanism, as defined in IETF RFC 2478. Microsoft Internet Explorer Version 5.5 or later and Mozilla Firefox Version 1.0 qualify as such clients.
    Important: A running domain controller and at least one client machine in that domain is required. Using SPNEGO directly from the domain controller is not supported.
  • The domain member has users who can log on to the domain. Specifically, you need to have a functioning Microsoft Windows active directory domain that includes:
    • Domain controller
    • Client workstation
    • Users who can login to the client workstation
  • A server platform with WebSphere Application Server running and application security enabled.
  • Users on the active directory must be able to access WebSphere Application Server protected resources using a native WebSphere Application Server authentication mechanism.
  • The domain controller and the host of WebSphere Application Server should have the same local time.
  • Ensure the clock on clients, Microsoft Active Directory and WebSphere Application Server are synchronized to within five minutes.
  • Be aware that you must SPNEGO enable client browsers on the client machine. You do this task in the procedure when you configure the client application on the client application machine.

About this task

The objective of this machine arrangement is to permit users to successfully access WebSphere Application Server resources without having to authenticate again and thus achieve Microsoft Windows desktop single sign-on capability.

Configuring the members of this environment to establish Microsoft Windows single sign-on involves specific activities that are performed on three distinct machines:
  • A Microsoft Windows server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC).
  • A Microsoft Windows domain member (client application), such as a browser or Microsoft .NET client.
  • A server platform with WebSphere Application Server running.

Continue with the following steps to create a single sign-on for HTTP requests using SPNEGO Web authentication:

Procedure

  1. Create a Kerberos service principal (SPN) and keytab file on your Microsoft domain controller machine
    1. You must configure your domain controller machine to create single sign-ons for HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication for WebSphere® Application Server. Configure the Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC).Read the Configuring your domain controller machine to create single sign-ons for HTTP requests using SPNEGO article for more information.
  2. Create a Kerberos configuration file
    1. The IBM® implementation of the Java™ Generic Security Service (JGSS) and KRB5 require a Kerberos configuration file (krb5.conf or krb5.ini) on each node or Java virtual machine (JVM). In this release of WebSphere Application Server, this configuration file should be placed in the config/cells/<cell_name> directory so that all application servers can access this file. If you do not have a Kerberos configuration file, use a wsadmin command to create one.
      Read the Creating a Kerberos configuration article for more information.
  3. Configure and enable SPNEGO web authentication using the administrative console on your WebSphere Application Server machine
    1. You can enable and configure the Simple and Protected GSS-API Negotiation (SPNEGO) as the web authenticator for the application server by using the administrative console on the WebSphere Application Server machine.
      Read the Enabling and configuring SPNEGO web authentication using the administrative console article for more information.
  4. Configure the client application on the client application machine
    1. Client-side applications are responsible for generating the SPNEGO token. You begin this configuration process by configuring your web browser to use SPNEGO authentication.
      Read the Configuring the client browser to use SPNEGO article for more information.
  5. Create SPNEGO tokens for J2EE, .NET, Java, web service clients for HTTP requests (optional)
    1. You can create a Simple and Protected GSS-API Negotiation (SPNEGO) token for your applications and insert this token into the HTTP headers to authenticate to the WebSphere Application Server.
      Read the Creating SPNEGO tokens for J2EE, .NET, Java, web service clients for HTTP requests article for more information.