Saturday, 21 April 2012

Administering SPNEGO within WebSphere Application Server: Tips on using Kerberos service principal names

I am adding this to my required reading list for projects where Kerberos and SPNEGO are used to deliver desktop Single Sign-On with WebSphere Application Server: -

Summary:  The Simple and Protected GSS-API Negotiation (SPNEGO) trust association interceptor (TAI) in IBM® WebSphere® Application Server V6.1 and in the SPNEGO Web Authentication feature in WebSphere Application Server V7.0 can be a powerful tool to achieve a seamless single sign-on environment between Microsoft® Windows® desktops and WebSphere-based servers. However, some users have trouble configuring service principal names when using SPNEGO. This article describes some best practices for configuring Microsoft Active Directory when using SPNEGO with WebSphere Application Server. (Updated for WebSphere Application Server Versions 6.1 and 7.0.)


This paragraph is especially useful: _

• Users with WebSphere Application Server Version 5.1.1.x and 6.0.x can obtain a custom service offering solution from IBM Software Services for WebSphere (ISSW). This solution comes with the source code, and you maintain the custom code yourself. To obtain more information about the ISSW SPNEGO TAI services offering for WebSphere Application Server V5.1.1 and V6.0, contact IBM Software Services for WebSphere.

• WebSphere Application Server Version 6.1 ships a TAI based upon the ISSW version mentioned above, which is a fully supported product code. However, you do not get the source code with this version.

• WebSphere Application Server V7.0 includes SPNEGO function via a new SPNEGO Web Authentication. (V7.0 still ships, but has deprecated, the SPNEGO TAI.)

as I'd previously assumed that WAS did not include native SPNEGO support until 7.0.0.9. In fact, we shipped SPNEGO in WAS 6.1, but have moved to a new SPNEGO Web Authentication module in v7.

All good stuff …..

Will add this to my existing presentation for WAS and SPNEGO ( as delivered at Social Connections II in Cardiff last year )

No comments: