You must create a Kerberos service principal name (SPN) and keytab file on your Microsoft
domain controller machine to support HTTP requests using the Simple and Protected GSS-API
Negotiation Mechanism (SPNEGO) web authentication for WebSphere® Application Server.
Before you begin
Configure the Microsoft
Windows Server running the Active Directory Domain
Controller and associated Kerberos Key Distribution Center (KDC).
Procedure
- Create a user account for the WebSphere®
Application Server in a Microsoft Active
Directory.
This account is eventually mapped to the Kerberos service principal name (SPN).
- On the Microsoft Active Directory machine
where the Kerberos key distribution center (KDC) is active, map the user account to the Kerberos
service principal name (SPN).
This user account represents the WebSphere Application Server as being a Kerberos service with the KDC.
Use the Microsoft
setspn command to map the Kerberos service principal name to a Microsoft user account.
- Create the Kerberos keytab file and make it available to WebSphere Application Server.
Use the Microsoft
ktpass tool to create the Kerberos keytab file (krb5.keytab
).
To make the keytab file available to WebSphere
Application Server, copy the krb5.keytab
file from the Domain Controller (LDAP
machine) to the WebSphere Application Server machine.
Read about Creating a Kerberos service principal
name and keytab file for more information.
Results
The product can use the Kerberos keytab file that contains the Kerberos service principal keys to
authenticate the user in the Microsoft Active Directory
and the Kerberos account.