Configuring Active Directory and WebSphere for constrained delegation

You must configure Active Directory and WebSphere for your Kerberos delegation to work.

1. Verify that DNS is configured correctly on the Active Directory domain controller.

   The DNS server must be configured for both forward and reverse lookups. Each host in the Active Directory domain must be configured to use the Domain Controller's DNS server.

   To verify, use nslookup commands for both hostname and IP address on computers in the domain. The results of the nslookup commands should show that the domain part of the resolved name is the domain of the domain controller.

2. Ensure that Time Services are running on all machines in the Active Directory domain and that the clocks of all machines are synchronized.
3. Verify that the Windows Server 2003 system (or multiple systems, when deployed in a WebSphere cluster) is configured into an Active Directory domain. The server can optionally be a domain controller.
4. Verify that all domain controllers in the domain are running at the Windows Server 2003 functional level. To do this:
   1. Open the Active Directory Users and Computers control panel.
   2. Right-click on the domain and select Raise Domain Function Level.
   3. Select Windows Server 2003 and click OK.
   The Raise Domain Functional Level window is displayed. It should contain the messages:

   Current domain functional level
   Windows Server 2003
   
   This domain is operating at the highest possible functional level.

5. On the domain controller, create a user in Active Directory for delegation. The WebSphere server that hosts the Tivoli Federated Identity Manager runtime runs as this user identity.
   1. Create a user. For example, tfimdeleguser. You can use a different user identity. This user name will be used in these instructions.
   2. Select the Password never expires check box.
      Note: You can optionally set the password to expire. If you do, then when you change it in the future, you will also need to reset the password for the WebSphere node agent Windows service.
6. On the domain controller, add the tfimdeleguser user to the Domain administrative group. To verify the settings:
   1. Select Active Directory Users and Computer.
   2. For the domain, click Users and click Domain Admins.
   3. Select the Members tab. Verify that the tfimdeleguser is listed as a group member.
7. Ensure that the Microsoft Support Tools are installed on the domain controller. For example to obtain the Windows Server 2003 Service Pack 1 32-bit Support Tools:

   http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

8. On the domain controller, create an service principal name (SPN) for the user tfimdeleguser. To complete this task::
   1. Open a command prompt on the domain controller where the support tools are installed.
   2. Enter the setspn command.

      The syntax for the command is:

      setspn -A tfim/<tfim_delegation_user> <tfim_delegation_user>

      For example:

       setspn -A tfim/tfimdeleguser tfimdeleguser

9. On the domain controller, go to Active Directory Users and Computers and open the properties for the user tfimdeleguser.
   1. Select the Delegation tab.
      Note: If you do not see the Delegation tab, return to the previous step and ensure that the setspn command runs successfully.
   2. Select the Trust this user for delegation to specified services only radio button.
   3. Select the Use any authentication protocol radio button.
   4. Click the Add button on the Delegation tab.
   5. Add the target services to which tfimdeleguser can delegate. These are the target services for constrained delegation. In this example, the IIS Web server runs as the user.
   6. Click the Users or Computers button to search for particular services.
   7. Select the domain user (service) that runs as the IIS server for the WebSEAL Kerberos junction.
   When you are finished, the Delegation tab should show a target service in the window Services to which this account can present delegated credentials.

   For example, the window could show a Service Type of HTTP, with User or Computer showing a host and domain name such as mydataserver.example.com

   Select the HTTP/mydataserver.example.com entry. Press OK to continue.

10. Add the tfimdeleguser to the Windows Authorization Access Groups object. To do this:
    1. Open the Active Directory Users and Computers panel.
    2. Select the Builtin object under the domain.
    3. Locate the Windows Authorization Access Groups object.
    4. Right click and select Properties. Select the Members tab.
    5. Click Add and add the delegation user (in our example, tfimdeleguser) as a member.
11. Grant the delegation user (tfimdeleguser) the Act as part of the operating system privilege.

    The actual process that must run as a Windows service depends on the WebSphere environment:

    • The service name in a standalone environment is the WebSphere Application Server running the Tivoli Federated Identity Manager runtime
    • The service name in a cluster environment is the WebSphere Application server running the WebSphere node agent for the Tivoli Federated Identity Manager runtime.
    Note: For a cluster environment, this step must be repeated on all machines hosting a node member of WebSphere cluster running the Tivoli Federated Identity Manager runtime.
    To do this:
    1. Access the menu appropriate for your deployment:
       • On the domain controller, select Start > Programs > Administrative Tools > Domain Security Policy.
       • On a non-domain controller computer, select Start > Programs > Administrative Tools > Local Security Policy.
    2. Expand Local Policies.
    3. Select User Rights Assignment > Act as part of the operating system.
    4. Right-click and select Properties.
    5. Click the Define these policy settings check box.
    6. Click Add user or group to add the delegation user (tfimdeleguser) to the list of users authorized to act as part of the operating system.
    7. Click OK.
12. Grant the delegation user (tfimdeleguser) the necessary privileges:
    • When the Tivoli Federated Identity Manager application is running on a member of the domain, grant the user the permission Log on as a service privilege on the local machine.
    • When the Tivoli Federated Identity Manager application is running on the domain controller, grant the user the permission Log on as a service privilege on the domain controller
    1. Return to the Security Policy menu opened in the previous step.
    2. Select User Rights Assignment > Log on as service.
    3. Right-click and select Properties.
    4. Click the Define these policy settings check box.
    5. Click Add user or group to add the delegation user (tfimdeleguser) to the list of users authorized to act as part of the operating system.
    6. Click OK.
13. Enable the WebSphere process that runs the Tivoli Federated Identity Manager application to run as a Windows service.

    Use the wasservice command. Default location:

    C:\Program Files\IBM\WebSphere\AppServer\bin

    Example command:

    C:\Program Files\IBM\WebSphere\AppServer\bin>wasservice -add ndagentwinser 
    -servername nodeagent 
    -profilePath "C:\Program Files\IBM\WebSphere\AppServer\profiles\Custom01" 
    -wasHome "C:\Program Files\IBM\WebSphere\AppServer"
    -logfile "c:\Program Files\IBM\WebSphere\AppServer\profiles\
       Custom01\logs\ws_startserver.log" 
    -logRoot "c:\Program Files\IBM\WebSphere\AppServer\profiles\
       Custom01\logs\nodeagent" 
    -restart true

    Example output from the command:

    Adding Service: ndagentwinser
      Config Root: 
      C:\Program Files\IBM\WebSphere\AppServer\profiles\Custom01\config
      Server Name: nodeagent
      Profile Path: C:\Program Files\IBM\WebSphere\AppServer\profiles\Custom01
      Was Home: C:\Program Files\IBM\WebSphere\AppServer\
      Start Args:
      Restart: 1
    IBM WebSphere Application Server V6.1 
       - ndagentwinser service successfully added

    To obtain a usage message for the wasservice command, enter:

    > WASService.exe

    without any arguments.

14. If running in a cluster environment, modify the WebSphere service from the previous step to start as the delegation user (tfimdeleguser)
    1. Open the Services control panel and locate either the service for the Tivoli Federated Identity Manager runtime or the Tivoli Federated Identity Manager runtime node agent for a cluster environment.
    2. Select the LogOn tab.
    3. Specify the delegation user tfimdeleguser.
    4. Specify the password for the delegation user.
    5. Click OK.
15. Restart the WebSphere nodeagent.

    This step is required to ensure that the Websphere node manager start the managed nodes under the new identity.

    1. Log on to the WebSphere console.
    2. Select Servers > Application servers for a standalone environment or Servers > Clusters for a cluster environment.
    3. Select the check box for the server or cluster to be restarted and press the Stop button for a standalone environment or the Ripplestart button for a cluster environment.
    4. In a standalone environment, after the server has been stopped, select the check box for the server or cluster to be restarted and press the Start button.