You can configure WebSphere Application Server to support Kerberos constrained delegation
for outbound SPNEGO tokens.
About this task
You can configure Kerberos v5 extension called S4U (Services for Users), also known as
constrained delegation, with administrative console.
The following steps use the
same example system setup that is used in Enabling and configuring SPNEGO web authentication using the administrative console and
illustrated in Single sign-on for HTTP requests
using SPNEGO web authentication.
The procedure to configure Kerberos constrained
delegation is also available in the Microsoft Docs
website, see How to configure Kerberos Constrained Delegation for Web Enrollment
proxy pages.Restriction: The constrained delegation credential is not
serializable so it cannot propagate to the downstream server. Therefore, you must ensure that the
WEB_INBOUND,
RMI_INBOUND, and
RMI_OUTBOUND security attribute propagation options are disabled. For more
information about disabling this option, see
Propagating security attributes among application servers.
Procedure
-
On the Microsoft domain controller, update the
service principal name (SPN) that you use to validate the incoming SPNEGO token for a client trusted
to authenticate for delegation.
For example, update the HTTP/myappserver.austin.ibm.com
SPN as
follows:
- To use
S4U2proxy
.
- Open the user account that is mapped to the delegate SPN.
- Open the Attribute Editor tab.
- Modify the
userAccountControl
property Trusted for auth delegation
0x1000000, or the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION enum
must be true.
- Set the trusted service.
- Open the Delegation tab in the user account.
- Select Trust this user for delegation to specified services only.
- Select Use any authentication protocol.
- Click Add to add the trusted service.
- Click Users or Computers.
- Enter the SPN to be used for the trusted service.
- Click Check Names and verify that the appropriate object name was
found.
- Click OK.
- Select the SPN specified and click OK.
- To use
S4U2self
.
- Open the user account that is mapped to the delegate SPN.
- Open the Attribute Editor tab.
- Modify the
userAccountControl
property Trusted for auth delegation
0x1000000, or the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION enum
must be true.
- Set the trusted service.
- Open the Delegation tab in the user account.
- Select Trust this user for delegation to specified services only.
- Select Use any authentication protocol.
- Click Add to add the trusted service.
- Click Users or Computers.
- Enter the SPN to be used for the trusted service.
- Click Check Names and verify that the appropriate object name was
found.
- Click OK.
- Select the SPN specified and click OK.
- On WebSphere Application Server, enable constrained delegation.
- Use S4U2proxy for inbound SPNEGO web authentication.
- Set the property
com.ibm.websphere.security.krb.s4U2proxyEnabled
to true.
- Create the outbound SPNEGO token for back-end services that support SPNEGO
authentication, such as .NET servers and WebSphere Application Server by using the
S4U2proxy API:
com.ibm.websphere.security.s4u2proxy.SpnegoHelper.buildS4U2proxyAuthorization()
.
- Use S4U2self for all inbound authentication mechanisms (other than SPNEGO web
authentication).
- Set the property
com.ibm.websphere.security.krb.s4U2selfEnabled
to true.
- Create the outbound SPNEGO token for back-end services that support SPNEGO
authentication, such as .NET servers and WebSphere Application Server by using the
S4U2self API:
com.ibm.websphere.security.s4u2proxy.SpnegoHelper.buildS4U2proxyAuthorizationUsingS4U2self()
Results
Your application is now ready to call the API provided by the constrained delegation
feature.