Step 1: Prerequisites 

Use

Use this topic to configure necessary prerequisites for using the wizard-based configuration for AS Java Kerberos authentication with SPNego.

Prerequisites

●      Create and configure on the Active Directory Servers (ADS) a service user for the AS Java.

○       The password of the user must never expire.

○       The user must be enabled to use DES encryption.

●      On the ADS for each Kerberos Realm, register with the ADS service user a Service Principal Name (SPN) for every DNS name that can be used to access the AS Java with Kerberos authentication.

For example,  to make AS Java accessible with Kerberos using DNS names portal.customer.de and alias.customer.de, execute the following commands from an ADS command line:

setspn -a HTTP/portal.customer.de j2ee-<SID>

setspn -a HTTP/alias.customer.de j2ee-<SID>

The commands above assume that the service user is j2ee-<SID>, where SID is the AS Java system ID.

●      Prepare the UME configuration file for Kerberos authentication. The UME configuration file must contain attribute mapping for resolving the user id of the authenticated user principal name in the Kerberos Realm. You can add new mappings or use a pre-configured UME configuration file. For more information, see Configuring the UME.

Procedure

...

       1.      Select the check box Service user is created and configured in Active Directory to confirm that this step is completed.

       2.      Select the checkbox UME configuration includes SPNego specific settings to confirm that this step is completed.

       3.      Choose Next to proceed to Step 2: Kerberos Realm.

Result

●      The service user in the ADS is created and configured properly.

●      The UME is connected to an LDAP data source and the UME data source configuration file contains attribute mappings to enable user resolution for SPNego authentication.