Tuesday, 20 March 2012

WebSphere and Kerberos

I'm presenting on this subject at the WebSphere User Group at IBM South Bank tomorrow.

Will I see you there ? I hope so .....

However, the conversation around two-way forest-level transitive trust has come up on another project, so I was looking for a good definition of it in a WebSphere context.

This section of the WAS 7 Info Centre is definitely worth a read: -

The Kerberos authentication mechanism enables interoperability with other applications (such as .NET, DB2 and others) that support Kerberos authentication. It provides single sign on (SSO) end-to-end interoperable solutions and preserves the original requester identity.

Note: Security support for Kerberos as the authentication mechanism was added for WebSphere Application Server Version 7.0. Kerberos is a mature, flexible, open, and very secure network authentication protocol. Kerberos includes authentication, mutual authentication, message integrity and confidentiality and delegation features. You can enable Kerberos on the server side. Support is provided to enable the rich Java client to use the Kerberos token for authentication to the WebSphere Application Server.

Kerberos (KRB5) authentication mechanism support for security

and includes a useful set of links, including: -
  •     What is Kerberos?
  •     The benefits of having Kerberos as an authentication mechanism
  •     Kerberos authentication in a single Kerberos realm environment
  •     Kerberos authentication in a cross or trusted Kerberos realm environment
  •     Things to consider before setting up Kerberos as the authentication mechanism for WAS
  •     Support information for Kerberos authentication
  •     Setting up Kerberos as the authentication mechanism for WAS
  •     Setting up Kerberos as the authentication mechanism for the pure Java client


NotesSensei said...

Would that also work for the "optimized" Kerberos you can expect from a Windows client? And could you authenticate against a WAS using Kerberos and get an LTPA in return?

Dave Hay said...

@NotesSensei - yes, Kerberos from Windows to WAS is supported, and works. We're using SPNEGO via HTTP to negotiate the authentication from Windows / AD / KDC to WAS for Connections, Portal and WCM.

Additionally, WAS does and will return an LTPA token in the response, meaning that the user will sign on the next time using LTPA rather than Kerberos, which is slightly "cheaper" in performance terms.

My WUG presentation is now on Slideshare here - http://www.slideshare.net/david_hay/web-sphere-user-group-march-2012-desktop-single-signon-in-an-active-directory-world - feel free to check it out, and let me have any comments, regards, Dave