Configuring SPNEGO authentication in Liberty
You can use single sign-on for HTTP requests by using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication for WebSphere® Application Server Liberty. SPNEGO single sign-on (SSO) enables HTTP users to log in to a Microsoft® domain controller only once at their desktop and to achieve SSO with the Liberty server.
The latest documentation about configuring SPNEGO for Liberty is available on the Open Liberty website.
Before you begin
- SPNEGO SSO is also known as Integrated Windows Authentication (IWA) for Windows platform.
- Liberty supports SPNEGO for IWA but not Kerberos and NT LAN Manager (NTLM).
- Beginning with 19.0.0.1, the IBM® SDK, the Oracle JDK, and OpenJDK are supported. Before 19.0.0.1, only the IBM SDK was supported.
- SPENGO and constrained delegation do not support IBM hybrid JDK.
- The commands for this task and much of the SPNEGO configuration are case sensitive.
- The clocks for the client, Microsoft Active Directory server, and Liberty server must be synchronized to within 5 minutes of each other, by default. The allowable difference in synchronization is configurable.
- The software configuration must have a running domain controller, at least one client machine in that domain and a server platform with a Liberty server that has a protected resource within an application, for a total of three required machines. Using SPNEGO directly from the domain controller is not supported.
Configure the following software and ensure that it is available:
- A Microsoft
Windows® Server running an Active Directory Domain
Controller and associated Kerberos Key Distribution Center (KDC). For this topic, an example host
for such a domain controller is
myAdMachine.example.com
. The domain controller name ismydomain.example.com
and the Kerberos realm name isMYDOMAIN.EXAMPLE.COM
, which is the domain controller name in all uppercase letters. - A Microsoft
Windows® domain member (client) that supports the SPNEGO
authentication mechanism as defined in IETF RFC 2478. Examples of an appropriate client might be a
modern browser or a Microsoft .NET client. Most modern
browsers support SPNEGO authentication. For this topic, an example host for the client is
myClientMachine.example.com
. - A server platform with a Liberty server
that has a protected resource within an application. Users in the Active Directory must be able to
access Liberty server protected resources by
using a native Liberty server authentication
mechanism. For this topic, an example Liberty
server host is
myLibertyMachine.example.com
.
About this task
The objective of this task is to allow users to successfully access Liberty server resources without having to authenticate again, and thus achieve Microsoft Windows® desktop single sign-on capability.
This task demonstrates how to configure a Liberty server to support single sign-on for HTTP requests by using SPNEGO web authentication.
Procedure
Results
To verify that SPNEGO is working, you can log in to the domain controller and then access a protected resource on the Liberty server, and because you are logged in to the domain controller, you are not prompted for credentials. However, if you do not log in to the domain controller and attempt to access a protected resource, you are prompted for credentials.