Configuring Windows desktop single sign-on support

Configure IBM® InfoSphere® Information Server so that when users sign in to the Microsoft Windows desktop, they are automatically signed in to IBM InfoSphere Information Governance Catalog.

This configuration uses Microsoft Active Directory as a Lightweight Directory Access Protocol (LDAP) server and the Kerberos authentication protocol with the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication service. This service enables InfoSphere Information Governance Catalog and a client web browser to prove their identities to one another in a secure manner.

For a better understanding of what SPNEGO web authentication is and how it is supported in WebSphere® Application Server, see Single sign-on for HTTP requests using SPNEGO authentication.

Before you begin

  • InfoSphere Information Server must be installed.
  • IBM WebSphere Application Server Network Deployment must be used. IBM WebSphere Application Server Liberty Profile does not support this configuration.
  • InfoSphere Information Server must be configured to use Microsoft Active Directory as an LDAP server for the user registry. For more information about configuring LDAP as the user registry, see Switching to an LDAP user registry when using WebSphere Application Server Network Deployment.
  • You must have administrative privileges on WebSphere Application Server, InfoSphere Information Server, and the Microsoft Windows Server that hosts Active Directory.
  • Active Directory that is used as the LDAP user registry must run on Microsoft Windows Server 2003 or later. For more information about specific software and hardware requirements, see WebSphere Application Server detailed system requirements.

Procedure

  1. Create a Kerberos SPN and keytab file on the Microsoft domain controller that hosts Microsoft Active Directory.
  2. Create a Kerberos configuration file.
  3. Configure WebSphere Application Server to use SPNEGO.
  4. Configure web browsers to use SPNEGO.