IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
10.02.2013 Views
Share Embed Flag

IBM Tivoli Access Manager for e-business: WebSEAL Administration ...

IBM Tivoli Access Manager for e-business: WebSEAL Administration ...

IBM Tivoli Access Manager for e-business: WebSEAL Administration ...

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
publib.boulder.ibm.com

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Windows<br />

desktop<br />

single<br />

sign-on<br />

This<br />

section<br />

contains<br />

the<br />

following<br />

topics:<br />

v<br />

“Windows<br />

desktop<br />

single<br />

sign-on<br />

concepts”<br />

v<br />

“Windows<br />

desktop<br />

single<br />

sign-on<br />

configuration”<br />

on<br />

page<br />

237<br />

Windows<br />

desktop<br />

single<br />

sign-on<br />

concepts<br />

This<br />

section<br />

discusses<br />

the<br />

following<br />

topics:<br />

v<br />

“SPNEGO<br />

protocol<br />

and<br />

Kerberos<br />

authentication”<br />

v<br />

“User<br />

registry<br />

and<br />

plat<strong>for</strong>m<br />

support”<br />

on<br />

page<br />

235<br />

v<br />

“Compatibility<br />

with<br />

other<br />

authentication<br />

methods”<br />

on<br />

page<br />

235<br />

v<br />

“Limitations”<br />

on<br />

page<br />

236<br />

SPNEGO<br />

protocol<br />

and<br />

Kerberos<br />

authentication<br />

Microsoft<br />

provides<br />

an<br />

authentication<br />

solution<br />

that<br />

allows<br />

Windows<br />

clients<br />

to<br />

use<br />

Microsoft<br />

Internet<br />

Explorer<br />

(IE)<br />

to<br />

access<br />

resources<br />

on<br />

Microsoft<br />

Internet<br />

In<strong>for</strong>mation<br />

Servers<br />

(IIS)<br />

without<br />

having<br />

to<br />

reauthenticate.<br />

This<br />

single<br />

sign-on<br />

solution<br />

relies<br />

on<br />

proprietary<br />

Microsoft<br />

HTTP<br />

authentication<br />

mechanisms.<br />

<strong>IBM</strong><br />

<strong>Tivoli</strong><br />

<strong>Access</strong><br />

<strong>Manager</strong><br />

<strong>WebSEAL</strong><br />

provides<br />

an<br />

equivalent<br />

authentication<br />

solution<br />

that<br />

enables<br />

IE<br />

clients<br />

to<br />

access<br />

<strong>WebSEAL</strong><br />

servers<br />

without<br />

having<br />

to<br />

reauthenticate.<br />

This<br />

means<br />

that<br />

users<br />

with<br />

an<br />

IE<br />

browser<br />

can<br />

access<br />

resources<br />

protected<br />

by<br />

<strong>Tivoli</strong><br />

<strong>Access</strong><br />

<strong>Manager</strong><br />

without<br />

having<br />

to<br />

reenter<br />

their<br />

username<br />

and<br />

password.<br />

The<br />

user<br />

need<br />

only<br />

login<br />

once<br />

to<br />

the<br />

Windows<br />

domain,<br />

as<br />

is<br />

typically<br />

done<br />

when<br />

logging<br />

in<br />

to<br />

Windows<br />

on<br />

a<br />

desktop<br />

workstation.<br />

<strong>WebSEAL</strong><br />

supplies<br />

an<br />

implementation<br />

of<br />

same<br />

HTTP<br />

authentication<br />

method<br />

used<br />

by<br />

Microsoft.<br />

This<br />

implementation<br />

involves<br />

two<br />

pieces:<br />

v<br />

Simple<br />

and<br />

Protected<br />

GSS-API<br />

Negotiation<br />

Mechanism<br />

(SPNEGO)<br />

v<br />

Kerberos<br />

authentication<br />

The<br />

SPNEGO<br />

protocol<br />

mechanism<br />

enables<br />

<strong>WebSEAL</strong><br />

to<br />

negotiate<br />

with<br />

the<br />

browser<br />

to<br />

establish<br />

the<br />

authentication<br />

mechanism<br />

to<br />

use.<br />

The<br />

browser<br />

supplies<br />

Kerberos<br />

authentication<br />

in<strong>for</strong>mation.<br />

<strong>WebSEAL</strong><br />

knows<br />

how<br />

to<br />

use<br />

the<br />

user’s<br />

Kerberos<br />

authentication<br />

in<strong>for</strong>mation<br />

when<br />

processing<br />

a<br />

user<br />

request<br />

to<br />

access<br />

resources<br />

protected<br />

by<br />

<strong>Tivoli</strong><br />

<strong>Access</strong><br />

<strong>Manager</strong>.<br />

On<br />

<strong>WebSEAL</strong>,<br />

this<br />

implementation<br />

is<br />

called<br />

Windows<br />

desktop<br />

single<br />

sign-on.<br />

Deployment<br />

of<br />

this<br />

single<br />

sign-on<br />

solution<br />

requires<br />

enabling<br />

and<br />

configuring<br />

the<br />

SPNEGO<br />

protocol<br />

on<br />

the<br />

<strong>WebSEAL</strong><br />

server.<br />

In<br />

addition,<br />

the<br />

<strong>WebSEAL</strong><br />

server<br />

must<br />

be<br />

configured<br />

as<br />

a<br />

client<br />

into<br />

an<br />

Active<br />

Directory<br />

domain,<br />

and<br />

must<br />

have<br />

connectivity<br />

to<br />

an<br />

Active<br />

Directory<br />

domain<br />

controller.<br />

The<br />

Active<br />

Directory<br />

domain<br />

controller<br />

must<br />

act<br />

as<br />

a<br />

Kerberos<br />

Key<br />

Distribution<br />

Center<br />

(KDC).<br />

<strong>WebSEAL</strong><br />

servers<br />

running<br />

on<br />

UNIX<br />

systems<br />

must<br />

use<br />

the<br />

Active<br />

Directory<br />

domain<br />

controller<br />

as<br />

their<br />

Kerberos<br />

KDC.<br />

The<br />

<strong>WebSEAL</strong><br />

configuration<br />

steps<br />

vary<br />

depending<br />

on<br />

the<br />

operating<br />

system<br />

plat<strong>for</strong>m<br />

and<br />

type<br />

of<br />

<strong>Tivoli</strong><br />

<strong>Access</strong><br />

<strong>Manager</strong><br />

user<br />

registry.<br />

Note:<br />

Use<br />

of<br />

SPNEGO<br />

requires<br />

that<br />

a<br />

time<br />

synchronization<br />

service<br />

be<br />

deployed<br />

across<br />

the<br />

Active<br />

Directory<br />

server,<br />

the<br />

<strong>WebSEAL</strong><br />

server,<br />

and<br />

any<br />

clients<br />

(browsers)<br />

that<br />

will<br />

authenticate<br />

using<br />

SPNEGO.<br />

234<br />

<strong>IBM</strong><br />

<strong>Tivoli</strong><br />

<strong>Access</strong><br />

<strong>Manager</strong><br />

<strong>for</strong><br />

e-<strong>business</strong>:<br />

<strong>WebSEAL</strong><br />

<strong>Administration</strong><br />

Guide

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!