Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Implement single sign-on to minimize web user authentications > Create a single sign-on for HTTP requests using SPNEGO Web authentication > 1. Create a Kerberos service principal (SPN) and keytab file on your Microsoft domain controller machine
Create a Kerberos service principal (SPN) and keytab file on your Microsoft domain controller machine
Create a Kerberos service principal name (SPN) and keytab file on your Microsoft domain controller machine to support HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication for WAS. Configure the Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC). For information on the supported Microsoft Windows Servers, see the System Requirements for WAS v8.0 on Windows.
Procedure
- Create a user account for the WAS in a Microsoft Active Directory. This account is eventually mapped to the Kerberos service principal name (SPN).
- On the Microsoft Active Directory machine where the Kerberos key distribution center (KDC) is active, map the user account to the Kerberos service principal name (SPN). This user account represents the WAS as being a Kerberos service with the KDC. Use the Microsoft setspn command to map the Kerberos service principal name to a Microsoft user account.
- Create the Kerberos keytab file and make it available to WAS. Use the Microsoft ktpass tool to create the Kerberos keytab file (krb5.keytab).
You make the keytab file available to WAS by copying the krb5.keytab file from the Domain Controller (LDAP machine) to the WAS machine. Read about Create a Kerberos service principal name and keytab file for more information.
What to do next
After we have configured your domain controller, the following results must occur:
- A user account is created in the Microsoft Active Directory and mapped to a Kerberos service principal name.
- A Kerberos keytab file (krb5.keytab) is created and made available to the WAS. The Kerberos keytab file contains the Kerberos service principal keys WAS uses to authenticate the user in the Microsoft Active Directory and the Kerberos account.
Related
Set SPNEGO web authentication filters
SPNEGO web authentication enablement
SPNEGO web authentication filter values
Create a Kerberos service principal name and keytab file
Configure Kerberos as the authentication mechanism
Create a single sign-on for HTTP requests using SPNEGO Web authentication
Related
CSIv2 inbound communications settings
CSIv2 outbound communications settings
SPNEGO web authentication configuration commands
SPNEGO web authentication filter commands
System Requirements for WAS v8.0 on Windows