Abhi On Java: Single Sign-On: Windows and WebSphere

Monday, June 12, 2006

Single Sign-On: Windows and WebSphere

A common requirement when implementing single sign-on solutions within organizations is to be able to share the authentication information betweeen the user desktop and the web application. This requirement becomes more important for intranet applications. WebSphere Application Server provides the capability to acheive Single Sign-On with Windows and Web Applications by providing a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources in WebSphere Application Server. When the SPNEGO TAI is initialized, authentication for all the Web Applications on that server goes through the TAI. HTTP users log in and authenticate only once at their desktop and are authenticated (internally) with WebSphere Application Server. The SPNEGO TAI is only visible to the WebSphere administrator who is responsible for ensuring a proper configuration, capacity, and maintenance of the Web environment.
Additional Requirements (Apart from WebSphere Application Server 6.1)

Microsoft’s Windows 2000 or Windows 2003 Servers with Active Directory domain and associated Kerberos Key Distribution Center (KDC).
Microsoft Internet Explorer Version 5.5 or later, Mozilla Firefox Version 1.0, or any other client application that supports SPNEGO mechanism.

Additional Considerations

The LDAP Server used by WebSphere and the Windows Active Directory must be the same for the default configuration, if different, then a custom login module (provided with WAS) must be configured to handle authentication.
The end user must configure the Web browser or .NET application to issue HTTP requests that are processed by the SPNEGO TAI.
The Web administrator is responsible for configuring the SPNEGO TAI of WebSphere Application Server to respond to HTTP requests of the client.
The WebSphere Application Server administrator is responsible for configuring WebSphere Application Server and the SPNEGO TAI for optimum installation performance.
Kerberos version 5 is required.
RC4-HMAC encryption is only supported when using a Windows 2003 Server as Kerberos key distribution center (KDC) and is not supported with a Windows 2000 Server.