Configuring Kerberos authentication with an external Kerberos
Authenticator
You can achieve Windows desktop single signon by
configuring a Kerberos Authenticator to authenticate clients on behalf of the appliance.
About this task
You can configure a junctioned web server to complete
the actual authentication and return the authenticated identity to
the appliance.
Complete the following steps to configure an external Kerberos
Authenticator to do the authentication on behalf of the appliance.
An example is provided for each step. Collectively, these examples
describe one possible configuration that supports Windows desktop single signon.
Procedure
Install the Policy Server and configure its user registry.
For example, Active Directory.
Configure a web server that supports Kerberos Authentication.
This web server is the Kerberos Authenticator. For example, install
WebSEAL on the domain controller and configure Kerberos authentication.
Configure the External Authentication Interface (EAI) application
on the Kerberos Authenticator. For example, create a simple Common
Gateway Interface (CGI) to act as the EAI. This CGI creates an EAI
response, setting the am-eai-user-id header field
as the name of the authenticated user.
You can
now verify the configuration of the Kerberos Authenticator. Add a Windows client to the domain.
Verify that Windows desktop
single signon occurs when you access the WebSEAL server from this
client.
You can install a network protocol analyzer, such as
Wireshark, on the domain controller to monitor and validate the network
traffic.
Configure WebSEAL on the appliance to use the external
Kerberos Authenticator for authentication. For example, follow these
steps:
Create a junction to the Kerberos authenticator.
Configure the CGI script as an EAI application.
Set the strip-www-authenticate-headers configuration entry to
no.
If the strip-www-authenticate-headers configuration entry
is set to yes, WebSEAL removes the Negotiate
www-authenticate and NTLM www-authenticate headers from junctioned
server responses. Therefore, you must set the value to no to keep these
www-authenticate headers in the junctioned server responses.
For more
information about this configuration entry, see the Reference information in the IBM Knowledge
Center.
You can now verify that Windows desktop single signon is available
on the appliance.
Send a request from the Windows client, through the WebSEAL server
on the appliance, to the EAI application. Single signon occurs. That
is, the user can access the WebSEAL server on the appliance as an
authenticated user. Again, you can use a network protocol analyzer
to monitor and validate the network traffic.