Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Implement single sign-on to minimize web user authentications
Creating a single sign-on for HTTP requests using SPNEGO Web authentication
Create single sign-ons for HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication for WAS requires the performance of several distinct, yet related functions that when completed, allow HTTP users to log in and authenticate to the Microsoft domain controller only once at their desktop and to receive automatic authentication from the WAS.
In WAS v6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. This function was deprecated in WAS v7.0. SPNEGO web authentication has taken its place to provide the following enhancements:
- We can configure and enable SPNEGO web authentication and filters on the WAS server side by .
- Dynamic reload of SPNEGO is provided without the need to stop and restart the WAS server.
- Fallback to an application login method is provided if the SPNEGO web authentication fails.
We can enable either SPNEGO TAI or SPNEGO Web Authentication but not both.
Read about Single sign-on for HTTP requests using SPNEGO web authentication for a better understanding of what SPNEGO Web Authentication is and how it is supported in this version of WAS.
Before starting this task, complete the following checklist:
-
A Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC). For information on the supported Microsoft Windows Servers, see the System Requirements for WAS v8.0 on Windows.
- A Microsoft Windows domain member (client)
for example, a browser or Microsoft .NET client, that supports the SPNEGO authentication mechanism, as defined in IETF RFC 2478. Microsoft Internet Explorer v5.5 or later and Mozilla Firefox v1.0 qualify as such clients.
A running domain controller and at least one client machine in that domain is required. Using SPNEGO directly from the domain controller is not supported.
- The domain member has users who can log on to the domain. Specifically, you need to have a functioning Microsoft Windows active directory domain that includes:
- Domain controller
- Client workstation
- Users who can login to the client workstation
- A server platform with WAS running and application security enabled.
- Users on the active directory must be able to access WAS protected resources using a native WAS authentication mechanism.
- The domain controller and the host of WAS should have the same local time.
- Ensure the clock on clients, Microsoft Active Directory and WAS are synchronized to within five minutes.
- Be aware that client browsers must be SPNEGO enabled, which you perform on the client application machine (with details explained in procedure 4, "Configure the client application on the client application machine").
The objective of this machine arrangement is to permit users to successfully access WAS resources without having to authenticate again and thus achieve Microsoft Windows desktop single sign-on capability.
Configure the members of this environment to establish Microsoft Windows single sign-on involves specific activities performed on three distinct machines:
- A Microsoft Windows server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC).
- A Microsoft Windows domain member (client application), such as a browser or Microsoft .NET client.
- A server platform with WAS running.
Continue with the following steps to create a single sign-on for HTTP requests using SPNEGO Web authentication:
Procedure
- Create a Kerberos service principal (SPN) and keytab file on your Microsoft domain controller machine
- Create a Kerberos configuration file
- Configure and enable SPNEGO web authentication on your WAS machine
- Configure the client application on the client application machine
- Create SPNEGO tokens for J2EE, .NET, Java, web service clients for HTTP requests (optional)