Creating a single sign-on for HTTP requests using the SPNEGO TAI (deprecated)
Creating single sign-ons for HTTP requests using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WebSphere® Application Server requires the performance of several distinct, yet related functions that when completed, allow HTTP users to log in and authenticate only once at their desktop and receive automatic authentication from the WebSphere Application Server.
Before you begin
Before starting this task, complete the following checklist:
- A Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC).
- A Microsoft
Windows
domain member (client) for example, a browser or Microsoft .NET client, that
supports the SPNEGO authentication mechanism, as defined in IETF RFC 2478. Microsoft Internet Explorer
Version 5.5 or later and Mozilla Firefox Version 1.0 qualify as such clients.Important: A running domain controller and at least one client machine in that domain is required. Trying to use SPNEGO directly from the domain controller is not supported
- The domain member has users who can log on to the domain. Specifically, you need to have a
functioning Microsoft
Windows
active directory domain that includes:
- Domain controller
- Client workstation
- Users who can login to the client workstation
- A server platform with WebSphere Application Server running and application security enabled.
- Users on the active directory must be able to access WebSphere Application Server protected resources using a native WebSphere Application Server authentication mechanism.
- The domain controller and the host of WebSphere Application Server should have the same local time.
- Ensure the clock on clients, Microsoft Active Directory and WebSphere Application Server are synchronized to within five minutes.
- Be aware that client browsers have to be SPNEGO enabled, which you perform on the client application machine (with details explained in step 2 of this task).
About this task
The objective of this machine arrangement is to permit users to successfully access WebSphere Application Server resources without having to reauthenticate and thus achieve Microsoft Windows desktop single sign-on capability.
- Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC)
- A Microsoft Windows domain member (client application), such as a browser or Microsoft .NET client.
- A server platform with WebSphere Application Server running.
Perform the following steps on the indicated machines to create single sign-on for HTTP requests using SPNEGO