WebSphere Portal V8.0 setup SPNEGO and a small big difference

FacebookTwitterFlipboardWhatsAppShare

Setup SSO with Windows Desktop is not so hard. But when things is not well documented you can get a big headake.  A customer ask to implement this SSO. The environment was a WebSphere Portal V.8.0 cluster and the user repository was AD 2012.

I setup the system following several documents from IBM and other blogs.  The SSO just not work.

Searching a log for one  solution i found the following:

DES Encryption and Kerberos Authentication:
Starting with Windows Server 2008 R2, domain controllers (and domain members) will no longer allow DES encryption for Kerberos tickets. DES encryption was cracked last millennium, so it’s time to move on to better encryption mechanisms like AES.

http://blogs.technet.com/b/askpfeplat/archive/2013/06/03/upgrade-active-directory-to-windows-server-2012-phase-1-assessment.aspx

The solution was simple:

Before AD 2008  the keytab generation was:

ktpass –out appserver1.keytab –princ HTTP/appserver1.robo.home.ca@ROBO.HOME.CA –mapuser wastest –pass password -ptype KRB5_NT_PRINCIPAL

For AD 2012 the keytab command line must include the encryption type other than DES and one supported by WebSphere V8.0.x.

I use the following:

ktpass –out appserver1.keytab –princ HTTP/appserver1.robo.home.ca@ROBO.HOME.CA –mapuser wastest –pass password -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

The RC4-HMAC-NT did the trick.

This document show the step by step i follow.