The web application bridge supports the Simple and Protected GSS-API Negotiation (SPNEGO) as the web authenticator for the application server. SPNEGO support relies on the scenario where IBM
® Application Server is already configured for SPNEGO web authentication.
The following prerequisite are required for this scenario:
- You installed IBM WebSphere Portal on a Windows™ operating system.
- You are using Microsoft™ Active Directory as your LDAP user registry.
- SPNEGO is already enabled on WebSphere Application Server.
Complete the following steps to support SPNEGO in the web application bridge:
Parent topic: Integrating with the web application bridge
- Enter your user ID and password on the client workstation to login to the Windows domain.
- Retrieve the ticket granting ticket (TGT) that the Active Directory server (KDC specifically) issues for the Windows domain.
- Access WebSphere Portal through a browser either on the local Windows domain or on a trusted remote Windows domain.
- Choose one of the following options to configure your browser:
|Firefox||Complete the following steps to configure your Firefox browser:
- Type about:config in the address bar.
- Type auth in the Filter field.
- Set the following two items to your SSO domain:
|Internet Explorer||Complete the following steps to configure your Internet Explorer browser:
- Navigate to Tools -> Internet options.
- Select the Security tab.
- Select Local intranet.
- Click Sites.
- Add the SSO domain.
- Select the Advanced tab.
- Verify that the Enable Integrated Windows Authentication checkbox is checked.
- Click OK.
- Restart Internet Explorer for your changes to take effect.
- Retrieve the following HTTP challenge header from WebSphere Application Server: 401 containing the Authenticate: Negotiate status to the browser.
- Ensure that the browser parses the initially requested URL for the host name to construct a Kerberos Service Principal Name (SPN).
- Ensure that the client requests a Kerberos service ticket from the Active Directory server, TGS specifically.
- Retrieve the client identity and access permission from the service ticket.
- Ensure that the browser sends an Authentication HTTP header with the SPNEGO token to WebSphere Application Server.
- Ensure that the WebSphere Application Server SPNEGO Web authentication module parses the SPNEGO token and validates the user identity against the Active Directory server.
- Ensure that WebSphere Application Server sends an HTTP 200 status code with an LTPAToken that is used for further session management.
- Complete the following steps to set up delegation:
- Open the Active Directory server user properties window.
- Select the Trust this user for delegation to any service (Kerberos only) option under the Delegation tab for the Active Directory server user ID that the application uses.
Note: This option is not set for the individual client users. It is only set for the application server ID.
- Click OK.
- Open the Windows system properties window.
- Select the Account tab.
- Check the Account is trusted for delegation checkbox.
- Click OK.