Creating a single sign-on for HTTP requests using the SPNEGO TAI (deprecated)
Creating single sign-ons for HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WebSphere® Application Server requires the performance of several distinct, yet related functions that when completed, allow HTTP users to log in and authenticate only once at their desktop and receive automatic authentication from the WebSphere Application Server.
Before you begin
In WebSphere Application Server Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WebSphere Application Server 7.0, this function is now deprecated. SPNEGO web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method.
Before starting this task, complete the following checklist:
- A Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC). For information on the supported Microsoft Windows Servers, see the System Requirements for WebSphere Application Server Version 8.5 on Windows.
- A Microsoft Windows domain member (client) for example,
a browser or Microsoft .NET client, that
supports the SPNEGO authentication mechanism, as defined in IETF RFC
2478. Microsoft Internet Explorer Version 5.5
or later and Mozilla Firefox Version 1.0 qualify as such clients.Important: A running domain controller and at least one client machine in that domain is required. Trying to use SPNEGO directly from the domain controller is not supported
- The domain member has users who can log on to the domain.
Specifically, you need to have a functioning Microsoft Windows active directory domain that includes:
- Domain controller
- Client workstation
- Users who can login to the client workstation
- A server platform with WebSphere Application Server running and application security enabled.
- Users on the active directory must be able to access WebSphere Application Server protected resources using a native WebSphere Application Server authentication mechanism.
- The domain controller and the host of WebSphere Application Server should have the same local time.
- Ensure the clock on clients, Microsoft Active Directory and WebSphere Application Server are synchronized to within five minutes.
- Be aware that client browsers have to be SPNEGO enabled, which you perform on the client application machine (with details explained in step 2 of this task).
About this task
The objective of this machine arrangement is to permit users to successfully access WebSphere Application Server resources without having to reauthenticate and thus achieve Microsoft Windows desktop single sign-on capability.
- Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC)
- A Microsoft Windows domain member (client application), such as a browser or Microsoft .NET client.
- A server platform with WebSphere Application Server running.
Perform the following steps on the indicated machines to create single sign-on for HTTP requests using SPNEGO