Configuring Kerberos constrained delegation for outbound SPNEGO tokens in WebSphere Application Server

You can configure WebSphere Application Server to support Kerberos constrained delegation for outbound SPNEGO tokens.

Before you begin

Make sure that SPNEGO web authentication is configured..

Use IBM® SDK 1.8 or later.

About this task

You can configure Kerberos v5 extension called S4U (Services for Users), also known as constrained delegation, with administrative console.

The following steps use the same example system setup that is used in Enabling and configuring SPNEGO web authentication using the administrative console and illustrated in Single sign-on for HTTP requests using SPNEGO web authentication.

The procedure to configure Kerberos constrained delegation is also available in the Microsoft Docs website, see How to configure Kerberos Constrained Delegation for Web Enrollment proxy pages.

Restriction: The constrained delegation credential is not serializable so it cannot propagate to the downstream server. Therefore, you must ensure that the WEB_INBOUND, RMI_INBOUND, and RMI_OUTBOUND security attribute propagation options are disabled. For more information about disabling this option, see Propagating security attributes among application servers.

Procedure

On the Microsoft domain controller, update the service principal name (SPN) that you use to validate the incoming SPNEGO token for a client trusted to authenticate for delegation.
For example, update the HTTP/myappserver.austin.ibm.com SPN as follows:
- To use S4U2proxy.
  1. Open the user account that is mapped to the delegate SPN.
  2. Open the Attribute Editor tab.
  3. Modify the userAccountControl property Trusted for auth delegation 0x1000000, or the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION enum must be true.
  4. Set the trusted service.
    1. Open the Delegation tab in the user account.
    2. Select Trust this user for delegation to specified services only.
    3. Select Use any authentication protocol.
    4. Click Add to add the trusted service.
    5. Click Users or Computers.
    6. Enter the SPN to be used for the trusted service.
    7. Click Check Names and verify that the appropriate object name was found.
    8. Click OK.
    9. Select the SPN specified and click OK.
- To use S4U2self.
  1. Open the user account that is mapped to the delegate SPN.
  2. Open the Attribute Editor tab.
  3. Modify the userAccountControl property Trusted for auth delegation 0x1000000, or the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION enum must be true.
  4. Set the trusted service.
    1. Open the Delegation tab in the user account.
    2. Select Trust this user for delegation to specified services only.
    3. Select Use any authentication protocol.
    4. Click Add to add the trusted service.
    5. Click Users or Computers.
    6. Enter the SPN to be used for the trusted service.
    7. Click Check Names and verify that the appropriate object name was found.
    8. Click OK.
    9. Select the SPN specified and click OK.
On WebSphere Application Server, enable constrained delegation.
1. Use S4U2proxy for inbound SPNEGO web authentication.
  1. Set the property com.ibm.websphere.security.krb.s4U2proxyEnabled to true.
  2. Create the outbound SPNEGO token for back-end services that support SPNEGO authentication, such as .NET servers and WebSphere Application Server by using the S4U2proxy API: com.ibm.websphere.security.s4u2proxy.SpnegoHelper.buildS4U2proxyAuthorization().
2. Use S4U2self for all inbound authentication mechanisms (other than SPNEGO web authentication).
  1. Set the property com.ibm.websphere.security.krb.s4U2selfEnabled to true.
  2. Create the outbound SPNEGO token for back-end services that support SPNEGO authentication, such as .NET servers and WebSphere Application Server by using the S4U2self API: com.ibm.websphere.security.s4u2proxy.SpnegoHelper.buildS4U2proxyAuthorizationUsingS4U2self()

Results

Your application is now ready to call the API provided by the constrained delegation feature.