Configuring SPNEGO and Kerberos SSO

When a client application wants to authenticate to a remote server, but if the server or the client is not sure which authentication protocol the other supports, you can use various SSO implementations.

About this task

IBM® WebSphere® Application Server provides Kerberos authentication and SSO features that enable interoperability and identity propagation with other applications (such as .NET, Db2®, and others) that support the Kerberos authentication mechanism. With these features, you need to log in only once, and then you can access other applications that support Kerberos authentication. SPNEGO is a standard protocol that is used to negotiate the authentication protocol that is used when a client application wants to authenticate to a remote server.

The following links focus on a set of common scenarios that demonstrate how to use the Kerberos authentication mechanism with the IBMWebSphere Application Server:

Configure security role mapping

  1. Log in to the WebSphere Application Server administrative console.
  2. Go to Applications > Application Types > WebSphere enterprise applications. The Enterprise Applications page opens.
  3. In the Enterprise Applications page, click <war_file_name> link. The Security role to user/group mapping page opens.
  4. In the Security role to user/group mapping page, specify following according to the file type, and click OK.
    WAR file Steps
    • ccd.war
    • mdm_ui.war
    • mdm_rest.war
    1. Select AllAuth role.
      1. Click Map Special Subjects.
      2. Select All Authenticated in Application’s Realms.
    2. Select LoginUser role.
      1. Click Map Special Subjects.
      2. Select Everyone.
  5. Restart the WebSphere Application Server administrative console and the Appserver on which the Product Master is deployed.

Configure Mozilla Firefox

Proceed as follows to configure the Mozilla Firefox.
  1. Open the Mozilla Firefox browser.
  2. In the URL field, enter about:config, and press Enter.
  3. Ignore the warning, and click I accept the risk!.
  4. In the Search field, enter network.negotiate-auth.trusted-uris. This preference lists the trusted sites for Kerberos authentication.
  5. Double-click network.negotiate-auth.trusted-uris.
  6. In the Enter string value field, enter the Fully Qualified Domain Name (FQDN) of the host that is running the Product Master application, and click OK.

Configure Microsoft Internet Explorer

  1. Proceed as follows to configure the Microsoft Internet Explorer.
  2. Open the Microsoft Internet Explorer browser and select Tools > Internet Options > Security tab.
  3. Select Trusted sites and click Sites to display the list of trusted sites.
  4. Add the URL for your Persona-based application to enable auto login and click Close.
    Note: If required, select Require server verification (https:) for all sites in this zone.
  5. Click Custom level and navigate to User Authentication > Logon.
  6. Select Automatic logon with current user name and password, and click OK.
    Important: Avoid accessing the Persona-based UI using Microsoft Internet Explorer 11 browser with SPNEGO enabled. Though the application appears to work, the browser does not send authentication tokens in the request headers and generates an undesired number of authentication tokens.