Configuring Active Directory for use with SPNEGO

If you will use WebSphere® Application Server with SPNEGO authentication, you must use Microsoft® Active Directory as your user registry. You will need to perform several configuration tasks in Microsoft Active Directory:

Before you begin

Create a user for the WebSphere administrative user.
Create a user that will contain the Service Principal Name (SPN) of the Tivoli® Federated Identity Manager server.
Build a Kerberos keytab file and assign the SPN to the Active Directory user that was created for that purpose.
Collect Active Directory connection parameters.

Microsoft Active Directory is a required component in an identity provider environment in which IBM® WebSphere Application Server with SPNEGO authentication is used as the point of contact server. Your Microsoft Active Directory should be installed and configured for your network before you begin this task.

About this task

For the details of completing the steps in this procedure, you will need to refer to the Microsoft Active Directory documentation.

Procedure

Using the Active Directory Users and Computers Console, create an Active Directory user for the WebSphere administrative user. This user is a regular user account in Active Directory, with no special account privileges. Use a user name that reflects the role of this user. For example, consider using wasadmin.
Using the Active Directory Users and Computers Console, create a user that will contain the Service Principal Name (SPN) of your Tivoli Federated Identity Manager server. The user name for this account is not important. This user's Service Prinicpal Name will be set using the ktpass utility in a subsequent step. Give this user a very secure password and set the password to never expire.

Use the ktpass command to build a keytab file for the WebSphere Kerberos user. The ktpass utility is included with the Microsoft Windows® 2003 Server Support Tools package. Use the following parameters with the command:

Table 1. Parameters to use with the Microsoft Windows ktpass command
Parameter	Example value	Description
-out	`was1-krb5.keytab`	A filename in which to store the secret key that will later be used for Kerberos authentication validation on the WebSphere server. This file will be uploaded to the WebSphere server when you enable SPNEGO. See Enabling and configuring SPNEGO authentication.
-princ	HTTP/ibm-fim611-1.fimtest. example.com@FIMTEST .EXAMPLE.COM	The Kerberos service principal name to use for generating the key. This is case sensitive and MUST start with `HTTP/`. The portion following the `HTTP/` must be the fully qualified DNS domain name of the URL that users will see on their browsers when accessing the WebSphere server.
-pass	`*`	The password to set for the Kerberos principal. A value of `*` will result in prompting for the password. The password must match the user created in step2.
-mapuser	`was-1`	The Active Directory user to whom the Kerberos service principal will be mapped. The value here should match the user name you created in step2.
-mapOp	`set`	Indicates that the SPN should overwrite any existing value mapped for this Active Directory user.

The following example shows an execution of the ktpass command. It also shows the use of the setspn command to list service principal names for the was-1 user, for information and verification purposes.

Figure 1. Example of the ktpass command

C:\Program Files\Support Tools>ktpass -out was1-krb5.keytab 
 -princ HTTP/ibm-fim611-1.fimtest.example.com@FIMTEST.EXAMPLE.COM
 -pass * -mapuser was-1 -mapOp set

Targeting domain controller: ibm-fimtest-ad.fimtest.example.com

Successfully mapped HTTP/ibm-fim611-1.fimtest.example.com:

Type the password again to confirm: 

Key created.

Output keytab to was1-krb5.keytab:

Keytab version:0x502

keysize 76 HTTP/ibm-fim-611-1.fimtest.example.com@FIMTEST.EXAMPLE.COM 
 ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) 
 keylength 8 (0x799b26bfe9ad3ba4)

Account was-1 has been set for DES-only encryption.

C:\Program Files\Support Tools>setspn -1 was-1

Registered ServicePrincipalNames for 
CN=was-1,CN-Users,DC=fimtest,DC=ibm,DC=com:

   HTTP/ibm-fim611-1.fimtest.ibm.com

The keytab file that is created in this step will be uploaded to the Tivoli Federated Identity Manager server during the configuration of WebSphere Application Server, see Configuring WebSphere for use with SPNEGO.

Collect Active Directory connection configuration information to use in the WebSphere Application Server configuration, as follows:
1. Locate the following information in the Active Directory LDAP tree:
  Hostname
  
  The hostname of the Active Directory server.
  
  Port
  
  Port number of the active directory server.
  
  Base DN
  
  The base search DN for active directory users.
  
  Bind DN
  
  An administrative user's active directory DN for performing LDAP searches. This value does not need to be the DN for the domain administration account but rather the DN for any valid active directory user.
  
  Bind password
  
  The password for the user represented by the Bind DN.
2. If an SSL connection is required to Active Directory, WebSphere must be configured with the certificate of the domain controller's issuing CA. If Windows Certificate Services was installed on the domain controller, this will be the CA certificate of the Certificate Services on that domain controller. To export the CA certificate to a file:
  1. Open Administrative Tools > Certification Authority. Then right-click on the top-level CA name, and click Properties.
  2. Click the General tab and then click View Certificate.
  3. Click the Details tab and click Copy to File.
    The file will be saved in DER encoded binary format. You will use this file as part of the WebSphere configuration, if SSL server authentication is needed to contact the Active Directory server through the LDAP/SSL interface.