Using Microsoft Active
Directory for authentication
WebSphere® Application
Server supports the Microsoft Active
Directory. Many installations use the Microsoft Active Directory as their primary
component for managing user authentication and user data. Authenticating
a user across multiple repositories or across a distributed Lightweight
Directory Access Protocol (LDAP), such as a Microsoft Active Directory forest can be
challenging. In any search of the whole registry, if there is more
than one match at run time, authentication fails because ambiguous
matches result.
About this task
User IDs are guaranteed to be unique within a single domain,
but there is no automatic guarantee that a given user ID is unique
across a tree or a forest. The following figure exemplifies the condition
of a given user ID not being unique across a tree or forest.
Figure 1. Forest search strategy. . Search illustration of
a non-unique sAMAccountName across the entire forest.
Authenticating users across trees or forests can be
a difficult task and the following steps should be performed.
Note: You must ensure that the Microsoft Windows Computer
Browser Service is enabled in your operating system when the following
conditions are true:
Your primary domain is managed by Microsoft Active Directory.
The Primary Domain Controller (PDC) exists in a different subnet
from WebSphere Application Server.
You set the user registry for WebSphere Application Server to
local OS and not Lightweight Directory Access Protocol (LDAP).
For more information on how to set and verify that the Microsoft
Windows Computer Browser Service is enabled, see the Microsoft documentation
for your operating system.
Procedure
Analyze the Microsoft Active
Directory construct that defines your installation.
Your
analysis can conclude with the following forms:
Single LDAP registry - Simple configuration.
Federated repository (a forest )- Typical configuration.
Merger of federated repositories (a merger of trees into a forest
)- Less typical configuration
Combination of user and group forests - Rare configuration
Develop strategies for user look up that match your Microsoft Active Directory
installation.
Remember that user IDs are guaranteed to
be unique within a single domain, but there is no automatic guarantee
that a given user ID is unique across a tree or a forest.
Evaluate with testing to ensure that your authentication
search strategies successfully authenticate users in your Microsoft Active Directory
installation.
Results
You will be in the position to authenticate users with LDAP
registries in a Microsoft Active Directory forest.
What to do next
Avoid trouble: When you select any
of these scenarios, consult appropriate Microsoft Active Directory information
to completely understand any implications the scenarios might have
on your configuation planning.