Web client configuration for SPNEGO SSO in ELM
ELM web clients require configuration to use SPNEGO authentication.
All browsers that are supported by the IBM® Engineering Lifecycle Management (ELM) support SPNEGO authentication. However, they each require some configuration. For browser configuration instructions, see the following references.
- Configuring the client browser to use SPNEGO, IBM WebSphere® Application Server product documentation ( V8.5.5, V9.0.5)
- Appendix B, Configuring web browsers for SPNEGO, in Implementing
Kerberos in a WebSphere Application Server EnvironmentNotes:
- You must configure each browser with the host name and scheme name of the target server where the application is registered.
- You must add the correct schemes (HTTP, HTTPS, or both). For example, the WebSphere Application Server snoop servlet runs on HTTP, while ELM applications, by default, run on HTTPS.
- Google Chrome uses the same configuration settings as Microsoft Internet Explorer.
If WebSphere Application Server is not configured for fallback authentication, users can authenticate with a browser by using SPNEGO if the following conditions are true.
- The user is logged in to Microsoft Active Directory through either Microsoft Windows logon authentication or the kinit utility.
- The client browser is configured correctly.
If WebSphere Application Server is configured for fallback authentication and the web client browser is configured correctly, the user can connect with a browser. The following authentication rules apply.
- If the user is logged in to Active Directory, authentication is immediate.
- If the user is not logged in to Active Directory or the user is denied access (for example, if the user is logged in to Windows with a local user ID, the user did not run the kinit utility on a UNIX client, or the user ticket expired and was not renewed), the user is challenged with basic or form authentication based on how WebSphere Application Server is configured.
- If WebSphere Application Server is configured to also accept client certificates and the browser has a valid certificate in its truststore, the user is offered to use the certificate. If the user denies the certificate request and the SPNEGO ticket is valid, SPNEGO authentication is in effect.