WebSphere Application Server & Liberty

 View Only

Is Integrated Windows Authentication (IWA) supported by WebSphere?

By Hiroko Takamiya posted Wed December 15, 2021 10:03 AM

  

Is Integrated Windows Authentication (IWA) supported by WebSphere? 


We recently received this question from a customer:  "Is Integrated Windows Authentication (IWA) supported by WebSphere?" 

The answer is Yes! IWA can be configured in both Liberty and Traditional WebSphere by enabling SPNEGO Single sign-on (SPNEGO SSO)  In fact, SPNEGO SSO is  one of the most popular SSO configurations as it provides both convenience and security. This blog shares a quick overview of SPNEGO SSO. 

What is the difference between SPNEGO SSO and IWA?


IWA can be implemented in various protocols such as SPNEGO, Kerberos and NTLMSSP.  WebSphere supports SPNEGO protocol. 
SPNEGO SSO requires the Kerberos Key Distribution Center (KDC) for users to authenticate with.  For IWA, Windows KDC is used. Windows KDC is implemented as a domain service that use the Active Directory. Not only Windows KDC, WebSphere's SPNEGO SSO supports KDCs on Linux, AIX and zOS. 

What is the typical SPNEGO SSO scenario like?  

If a user's machine is logged on to a Windows Domain or authenticated with a KDC, the user's credential can be sent from the browser to WebSphere. This way, the user can securely login to the application without typing the userId and password.

In the following picture, the user first logon to Windows Domain to obtain the authentication information from KDC.  The browser on the user's machine sends the authentication information from the KDC in SPNEGO token with the http request. WebSphere use the SPNEGO token to authenticate the user. The user can access the application on WebSphere without typing userid and password. 

How do I configure SPNEGO SSO for my application? 

To enable SPNEGO SSO for an application on WebSphere, the following configuration is needed. Please note that in addition to WebSphere configuration,  KDC server and the browser on each client machine require configuration. 

  1. KDC Server
    • The KDC server is able to authenticates users who login to the application using SPNEGO SSO
    • A keytab file needs to be created. It is to be configured with WebSphere. 
  2. Browser - The browser on the user's machine is configured to send the authentication information from KDC 
  3. WebSphere
    • A keytab file from KDC server is configured with WebSphere.
    • The Kerberos configuration file (krb5.ini or krb5.conf) on the WebSphere server contains KDC information, the encryption types, etc. 
    • The application needs to be configured with SPNEGO SSO via Adminconsole or Liberty's server.xml  

Where do I find further information ? 

Hope this blog provided a quick overview to get you started! 

For more configuration information for Liberty, please refer to  Configuring SPNEGO authentication in Liberty  For Traditional WebSphere, "Creating a single sign-on for HTTP requests using SPNEGO Web authentication" (WAS855 page, WAS905 page

The application developers may be interested in the SPNEGO-related APIs  Liberty, WAS905, WAS855

SPNEGO SSO configuration can be a little complicated. The following step-by-step instruction from WAS Support is one of the best  resources: "How to Setup Single Sign-On (SSO) for HTTP requests using SPNEGO authentication in WebSphere Application Server" 

0 comments
30 views

Permalink