You can configure your browser to utilize the Simple and
Protected GSS-API Negotiation (SPNEGO) mechanism. Authentication
of your browser requests are processed by the SPNEGO trust association
interceptor (TAI) in the WebSphere Application Server.
Before you begin
You need to know how to display and set options in the Microsoft
Internet Explorer browser or any other browser (such as Firefox).
You must have a browser installed that supports SPNEGO authentication.
The following scenarios
are supported for a SPNEGO TAI with a browser client:
- Cross-forest trust
- Domain trust within the same forest
- Kerberos realm trust
The following scenarios are not
supported for a SPNEGO TAI with a browser client:
- Forest external trust
- Domain external trust
About this task
Complete the following steps to ensure that your Microsoft
Internet Explorer browser is enabled to perform SPNEGO authentication.
Procedure
- At the desktop, log in to the windows active directory
domain.
- Activate Internet Explorer.
- In the Internet Explorer window, click Tools > Internet
Options > Security tab.
- Select the Local intranet icon and click Sites.
- In the Local intranet window, ensure that the "check box"
to include all local (intranet) not listed in other zones is selected,
then click Advanced.
- In the Local intranet window, fill in the Add this
Web site to the zone field with the Web address of the host name so
that the single sign-on (SSO) can be enabled to the list Web sites
shown in the Web sites field. Your site information technology staff
provides this information. Click OK to complete this step and
close the Local intranet window.
- On the Internet Options window, click the Advanced tab
and scroll to Security settings. Ensure that the Enable
Integrated Windows Authentication (requires restart) box is selected.
- Click OK. Restart your Microsoft Internet Explorer
to activate this configuration.
Results
Complete the following steps to ensure that your Firefox
browser is enabled to perform SPNEGO authentication.
- At the desktop, log in to the windows active directory domain.
- Activate Firefox.
- At the address field, type about:config.
- In the Filter, type network.n
- Double click on network.negotiate-auth.trusted-uris. This
preference lists the sites that are permitted to engage in SPNEGO
Authentication with the browser. Enter a comma-delimited list of trusted
domains or URLs.
Note: You must set the value for network.negotiate-auth.trusted-uris.
- If the deployed SPNEGO solution is using the advanced Kerberos
feature of Credential Delegation double click on network.negotiate-auth.delegation-uris.
This preference lists the sites for which the browser may delegate
user authorization to the server. Enter a comma-delimited list of
trusted domains or URLs.
- Click OK. The configuration appears as updated.
- Restart your Firefox browser to activate this configuration.
Your Internet browser is properly configured for SPNEGO
authentication. You can use applications that are deployed in WebSphere
Application Server that use secured resources without being repeatedly
requested for an ID and password.