Configuring WebSEAL to enable Kerberos single sign-on

To enable Kerberos single sign-on for a junction, set the value of the kerberos-sso-enable entry in the [junction] stanza to yes.

About this task

For more information about the [junction] stanza, see the Reference topics in the IBM® Knowledge Center.

Procedure

  1. From the top menu, select Secure Web Settings > Manage > Reverse Proxy.
  2. Create a new WebSEAL instance.
  3. Select the instance.
  4. Click Manage > Configuration File.
  5. Locate the [junction] stanza.
  6. Update the configuration items accordingly. For example:
    kerberos-sso-enable = yes
kerberos-keytab-file = webseal.keytab
kerberos-principal-name = HTTP/webseal@AD_DOMAIN
kerberos-service-name = HTTP/target_service.ad_domain.com@AD_DOMAIN.COM
    Note: These SPNs are set in Active Directory in Creating the WebSEAL user in Active Directory. The domain names are case-sensitive and must be uppercase.

    To extend Kerberos SSO support to users on domains other than the WebSEAL service account domain, use the kerberos-user-identity stanza entry to enable and define a custom user principal name (UPN).

  7. Click Save.
  8. Deploy the changes.
  9. Restart the WebSEAL instance.
Parent topic: Single sign-on using Kerberos constrained delegation