synchronizedrewritecond

rewritecond  时间:2021-01-11  阅读:()
CopyrightIBMCorporation2010TrademarksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage1of19Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentYangChaoFengLiShengShuangYuXiaoFengFebruary02,2010Inthisarticle,wediscusstheconfigurationofaKerberos-basedsinglesign-onsolutionfromaMicrosoftWindowsdesktoptoIBMLotusConnectionsrunningonIBMWebSphereApplicationServer.
Editor'snote:KnowalotaboutthistopicWanttoshareyourexpertiseParticipateintheIBMLotussoftwarewikiprogramtoday.
LotusConnectionswikiIntroductionBeforewestartourdiscussionofconfiguringsinglesing-oninIBMLotusConnection,weneedtoreviewsomeconceptsfirst:KerberosandSPNEGO.
Kerberosisacomputernetworkauthenticationprotocol,designedanddevelopedbyMIT,whichallowsnodescommunicatingoveranonsecurenetworktoprovetheiridentitytooneanotherinasecuremanner.
Kerberosversion5authenticationprotocolisanRFC(RequestForComments)standard.
SPNEGO(SimpleandProtectedGSSAPINegotiationMechanism)isaGSSAPIpseudo-mechanismthatisusedtonegotiateoneofanumberofpossiblerealmechanisms.
ItsmostvisibleuseisinMicrosoft'sHTTPNegotiateauthenticationextension.
ThenegotiablesubmechanismsincludeNTLM(NTLANManager)andKerberos,bothusedinMicrosoftActiveDirectory.
Moreinformationcanbefoundhere.
LotusConnectionscanleveragetheWebSphereApplicationServerSPNEGOTAI(trustassociationinterceptor)toprovidethesinglesign-on(SSO)capability,enablinguserstosignontotheMicrosoftWindowsdesktopandthenbeautomaticallysignedintoLotusConnectionsfeatureswithouthavingtoauthenticate.
Figure1showstherequest/responsedataflowintheWebSphereApplicationServerSPNEGOenvironment.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage2of19Figure1.
SPNEGOdataflowdiagramYoucanreadmoreabouttheWebSphereApplicationServerSPNEGOTAIinitsInformationCenter.
Inthisarticle,weillustratehowyoucanenableLotusConnectionstoprovidethesinglesign-on(SSO)capabilityforusersbasedonthedeploymentshowninfigure2.
Figure2.
LotusConnectionsSPNEGOdeploymenttoplogyActiveDirectoryandKerberosKDC(keydistributioncenter)aredeployedonaMicrosoftWindows2003ServerEnterpriseEditionsystem.
TheMicrosoftWindowsclientsystemistheusers'Windowsclientsystemwithbrowsersandotherapplicationsdeployed.
LotusConnections2.
5serveristheLotusConnections2.
5environmentusingActiveDirectoryastheLDAPdirectory;LotusConnections2.
5servercanbeamultiple-nodesclusteroronesingle-nodeenvironment.
Inthisarticle,wedeployLotusConnections2.
5serverontheMicrosoftWindowssystem.
PrerequisitetasksonActiveDirectoryandKerberosKDChostThereareseveralprerequisitetaskstobefinishedbythesystemadministratorsontheActiveDirectoryandKerberosKDChostbeforewecanproceed.
InstallActiveDirectoryonMicrosoftWindows2003Refertohttp://technet.
microsoft.
com/en-us/library/aa998088.
aspxonHowtoinstallActiveDirectoryonWindows2003ServerEnterpriseEdition.
AfteryouhavesuccessfullyinstalledActiveDirectory,makesurethattheKerberoskeydistributioncentersystemservicesisconfiguredcorrectlyintheServiceslist.
Double-clicktheKerberosKeyDistributionCenterservicetoselectibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage3of19theKerberosKeyDistributionCenterpropertiesasshowninfigure3.
MakesurethattheStartuptypefieldisselectedasAutomatic(Automaticisselectedbydefault).
Figure3.
KerberosKeyDistributionCenterpropertiesTheKDCserviceenablesuserstologontothenetworkusingtheKerberosV5authenticationprotocol.
Ifthisserviceisstopped,usersareunabletologontothedomainandaccessservices.
Onanon-KDC-enabledsystem(notadomaincontroller),theKDCservicestartuptypeisdisabled.
YoucanreadmoreabouttheMicrosoftWindowsKDCservice.
YoucanlearnhowtomodifytheKerberosprotocolregistryentriesandKDCconfigurationkeysinMicrosoftWindowsServer2003.
Weusethedefaultvaluesinthisconfiguration.
MakesurethatyouinstallaDNSserveronthisWindows2003systemasdetailedinstep9ofthisprocess.
OntheDNSRegistrationDiagnosticspage,followthesesteps:1.
ClickInstallandconfiguretheDNSserveronthiscomputer.
2.
SetthiscomputertousethisDNSserverasitspreferredDNSserver.
3.
ClickNext.
4.
TheDNSservicerunsonthisMicrosoftWindows2003Server.
Double-clicktheDNSServerservicetoselecttheDNSServerpropertiesasshowninfigure4.
MakesurethattheStartuptypefieldisselectedasAutomatic(Automaticisselectedbydefault).
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage4of19Figure4.
DNSServerPropertieswindowTimesynchronizationfortheKerberosenvironmentTheMicrosoftWindowsServer2003hostingActiveDirectoryisusedasthedomaincontroller.
Iftimesynchronizationisnotaprobleminyourenterpriseintranet,youcanignorethissection.
Kerberosrequiresthattheclocksoftheinvolvedhostsaresynchronized.
Theticketshaveatimeavailabilityperiod,andifthehostclockisnotsynchronizedwiththeKerberosserverclock,theauthenticationfails.
WeoftenusethedomaincontrollerasthetimeserverandruntheWindowsScheduletaskontheinvolvedLotusConnectionsserverhoststodotimesynchronizationwiththedomaincontroller.
Figure5showsanexampletaskthatinvokesthesampleTimeSyn.
bateveryminute.
Figure5.
WindowsScheduledTasksfortimesynchronizationInourexample,usersneedtocreateabatchfilenamedTimeSyn.
batinC:\.
Ifexample.
yourdomain.
comisthedomaincontrollerandanNTPtimeserver,theTimeSyn.
batlookslikethecodeshowninlisting1.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage5of19Listing1.
SamplecodeforTimeSyn.
batw32tm/config/manualpeerlist:acme.
yourdomain.
com.
com,0x8/syncfromflags:MANUALnetstopw32timenetstartw32timew32tm/resyncInstallMicrosoftWindowssupporttoolsInstallMicrosoftWindowssupporttoolsontheWindows2003ServerEnterpriseEdition.
YouneedthistooltorunthektpasscommandonthedomaincontrollertosetSPNfortheserviceaccountandtogeneratethekeytabfile.
YoucangetdetailsabouthowtheKerberosprotocolworksinMicrosoftWindowsServer2003.
ConfiguretheLotusConnectionsservertosupporttheKerberosenvironment.
WhentheprerequisitetaskshavebeenfinishedwecanstarttheconfigurationontheLotusConnectionsserver.
ConfigureLotusConnectionstouseActiveDirectoryasauserrepositoryRefertotheLotusConnectionsInformationCentertolearnhowtoconfigurethesecuritytouseActiveDirectoryasauserrepositoryandhowtopopulatetheProfilesdatabase.
CreateaserviceaccounttoholdSPNinActiveDirectoryAnSPN(serviceprincipalname)isneededforLotusConnectionsintheKerberosenvironmenttoidentifytheLotusConnectionsserver.
AserviceaccountisneededinActiveDirectorytoholdthatSPN.
Tocreatetheserviceaccount,logintothedomaincontroller,gotoManageYourServer-DomainController(ActiveDirectory)-ManageusersandcomputersinActiveDirectory,andclickthebutton.
OntheAccountpage,makesurethatyouselecttheUsercannotchangepasswordandPasswordneverexpiresoptionsasshowninfigure6.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage6of19Figure6.
NewuseraccountpropertiesSetSPNandgeneratethekeytabfileRunthektpasscommandonthedomaincontrollertosetSPNfortheserviceaccountandgeneratethekeytabfile:ktpass–princ-out-mapuser-mapOpset–passwhereistheKerberosserviceprincipalname.
AKerberosprincipalisdividedintothreeparts:theprimary,theinstance,andtherealm.
TheformatofatypicalKerberosprincipalisprimary/instance@REALM.
IfLotusConnectionsishostedonthesystemSVTLCSPNEGO.
cn.
example.
comandthedomainnameisCN.
EXAMPLE.
COM,theSPNisHTTP/SVTLCSPNEGO.
cn.
example.
com@CN.
EXAMPLE.
COM.
isthelocationwhereyouwanttosavethekeytabfile.
istheserviceaccountname.
isthepasswordtotheserviceaccountname.
Assumethattheuseraccountcreatedinstep1islcserver01andthatthepasswordtotheserviceaccountisPassword1.
YouwanttosavethekeytabfileasC:\SVTLCSPNEGO.
keytab,sothecommandlookslikethefollowingcode:ktpass-princHTTP/SVTLCSPNEGO.
cn.
ibm.
com@CN.
IBM.
COM-outibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage7of19c:\SVTLCSPNEGO.
keytab-mapuserlcserver01-mapOpset-passPassw0rd1Thecommandoutputisshowninlisting2.
Listing2.
ktpasscommandoutputTargetingdomaincontroller:SVTLCSPNEGO.
cn.
ibm.
comUsinglegacypasswordsettingmethodSuccessfullymappedHTTP/SVTLCSPNEGO.
cn.
ibm.
comtolcserver01.
WARNING:pTypeandaccounttypedonotmatch.
Thismightcauseproblems.
Keycreated.
Outputkeytabtoc:\SVTLCSPNEGO.
keytab:Keytabversion:0x502keysize68HTTP/SVTLCSPNEGO.
cn.
ibm.
com@CN.
IBM.
COMptype0(KRB5_NT_UNKNOWN)vno4etype0x17(RC4-HMAC)keylength16(0x5858d47a41e40b40f294b3100bea611f)InaLotusConnectionscluster,youonlyneedtoselecttheIBMHTTPservernameorthevirtualhostname(usersaccesstheIBMHTTPserverorthevirtualhosttoexperienceLotusConnectionsfeatures)astheinstancenameintheKerberosserviceprincipalname.
ItisunnecessarytogeneratethekeytabfileforallnodesintheLotusConnectionscluster.
ConfigureSPNEGOTAIinWebSphereApplicationServerConfigureSPNEGOTAIintheWebSphereApplicationServeradministrativeconsolebytakingthesesteps:1.
NavigatetoSecurity-Secureadministration,applications,andinfrastructure,andexpandWebSecurity.
ClickTrustassociation.
2.
SelecttheEnabletrustassociationoptiontoenableTAI.
3.
SelectInterceptors-com.
ibm.
ws.
security.
spnego.
TrustAssociationInterceptorImpl-Customproperties.
4.
Addthecustompropertiesshowninlisting3.
Listing3.
CustompropertiesforSPNEGOTAIcom.
ibm.
ws.
security.
spnego.
SPN1.
hostName=com.
ibm.
ws.
security.
spnego.
SPN1.
NTLMTokenReceivedPage=com.
ibm.
ws.
security.
spnego.
SPN1.
spnegoNotSupportedPage=com.
ibm.
ws.
security.
spnego.
SPN1.
filter=request-url!
=/seedlist/authverify;request-url!
=/seedlist/server;request-url!
=/seedlist/myserver;request-url!
=noSPNEGOcom.
ibm.
ws.
security.
spnego.
SPN1.
filterClass=com.
ibm.
ws.
security.
spnego.
HTTPHeaderFilterwhereisthenameoftheserverwithwhichLotusConnectionsisaccessed(forexample,theIBMHTTPservernameorthevirtualhostname).
iswheretheSPNEGOTAIredirectpageiscreatedonthelocalfilesystem,forinstancefile:///Z:/share/TAIRedirect.
html.
YouneedtocreatethatHTMLfilemanually.
Thecontentisthecodeshowninlisting4.
Listing4.
SPNEGOTAIredirectpageTAIRedirect.
htmlvarorigUrl=""+document.
location;if(origUrl.
indexOf("noSPNEGO")=0)origUrl+="&noSPNEGO";elseorigUrl+="noSPNEGO";}functionredirTimer(){self.
setTimeout("self.
location.
href=origUrl;",0);}document.
write("Redirectto"+origUrl+"");5.
ClickOKtosavethechanges.
Figure7isascreencaptureofwhatdispaysinarealdeployment.
Figure7.
WebSphereadministrativeconsolescreencaptureforSPNEGOTAIcustompropertiesListing5isthesampleJACLcodethatcanfulfilltheWebSphereSPNEGOTAIsetupfromthewsadmininterface.
NamethefileasConfigTA.
jaclandrunitlikethis:wsadmin-fConfigTA.
jaclibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage9of19Remembertoreplacethecom.
ibm.
ws.
security.
spnego.
SPN1.
hostNamevaluewithyourrealconfigurationvariable.
Listing5.
ConfigTA.
jaclforWebSphereSPNEGOTAIsetupprocsaveConfig{}{globalAdminConfig$AdminConfigsave}procconfigTA{}{globalAdminConfigsettrustAssocConfigId[$AdminConfiglistTrustAssociation]settrust_attrib{}setmatchFound0settrust_assocEnabledysettrust_interceptorClassNamecom.
ibm.
ws.
security.
spnego.
TrustAssociationInterceptorImplif{$trust_assocEnabled!
={}}{if{[regexp$trust_assocEnabledy]}{lappendtrust_attrib[listenabled"true"]}else{lappendtrust_attrib[listenabled"false"]}$AdminConfigmodify$trustAssocConfigId$trust_attrib}if{$trust_interceptorClassName!
={}}{setlistOfTAI[$AdminConfiglistTAInterceptor]foreachtai$listOfTAI{setclassName[$AdminConfigshowAttribute$taiinterceptorClassName]if{[stringcompare$className$trust_interceptorClassName]==0}{setmatchFound1###break}}}if{$matchFound==1}{setinterceptorConfigId$taisettrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
hostName#replacewithyourIHShostsettrust_propertyValuesettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
filterClasssettrust_propertyValuecom.
ibm.
ws.
security.
spnego.
HTTPHeaderFiltersettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage10of19$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
filtersettrust_propertyValue"request-url!
=/seedlist/authverify;request-url!
=/seedlist/server;request-url!
=/seedlist/myserver;request-url!
=noSPNEGO"settrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
spnegoNotSupportedPagesettrust_propertyValuefile:///z:/TAIRedirect.
htmlsettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
NTLMTokenReceivedPagesettrust_propertyValuefile:///z:/TAIRedirect.
htmlsettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"}}#Mainprocedureputsstdout"Runlikethis:wsadmin-fConfigTA.
jacl"puts">configTA"configTAsaveConfigibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage11of19CreatetheKerberosconfigurationfileBeforeusingSPNEGOTAIinWebSphereApplicationServer,youneedtocreatetheKerberosconfigurationfile.
First,copythekeytabfiletotheserverwhereLotusConnectionsisinstalled.
ThenrunthecreateKrbConfigFilescriptwiththewsadmincommandlineutility,byissuingthecommandshowninlisting6.
Listing6.
wsadmincommandtocreatetheKerberosconfigurationfile$AdminTaskcreateKrbConfigFile{-krbPath\java\jre\lib\security\krb5.
conf-realm-kdcHost-dns-keytabPath}whereisthepathtotheWebSphereApplicationServerlocation,nottheLotusConnectionslocation.
istheKerberosrealmandmustbeshowninalluppercaseletters.
isthenameofthekeydistributioncenterhost.
istheDNSservername.
isthelocationofthekeytabfilegeneratedonthedomaincontroller.
EnabletheWebSphereSPNEGOTAIToenableSPNEGOTAI,logintotheWebSphereApplicationServeradministrativeconsole,andnavigatetoServers-Applicationservers.
Selecttheservername(typicallyserver1),expandJavaandProcessManagement,andselectProcessDefinition-JavaVirtualMachine-CustomProperties.
Addtwocustomproperties:com.
ibm.
ws.
security.
spnego.
isEnabled=truejava.
security.
krb5.
conf=IfyouinstallLotusConnectionsinmultipleserverinstances,youneedtorepeatthisstepforallserverinstances.
Listing7isthesampleJythoncodethatcanfulfillthetaskfromthewsadmininterface.
Namethefileasconfigspnegojvm.
pyandrunitlikethis:wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Name.
Listing7.
configspnegojvm.
pyforenablingJVMSPNEGOcustompropertiesdefconfigspnegojvm(cellName,nodeName,serverName):globalAdminConfigkrb5conf="C:/IBM/WebSphere/AppServer/java/jre/lib/security/krb5.
conf"developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage12of19javasrv=AdminConfig.
getid("/Cell:"+cellName+"/Node:"+nodeName+"/Server:"+serverName+"/")#Checkingforexistenceofserverprint"Checkingforexistenceofserver"+serverNameiflen(javasrv)==0:print"Error--servernotfoundforname"+serverName+"::/Cell:"+cellName+"/Node:"+nodeName+"/Server:"+serverName+"/"returnelse:print"OK.
"+javasrvaddJVMCustomProperties=javaproc=AdminConfig.
list('JavaProcessDef',javasrv)prop=AdminConfig.
list('Property',javaproc)jvmp=AdminConfig.
list('JavaVirtualMachine',javaproc)if(prop.
find("com.
ibm.
ws.
security.
spnego.
isEnabled")>=0):print"INFO:JVMpropertiesseemalreadyexist:"printpropreturnAdminConfig.
create('Property',jvmp,[['name','com.
ibm.
ws.
security.
spnego.
isEnabled'],['value','true'],['required','false']])AdminConfig.
create('Property',jvmp,[['name','java.
security.
krb5.
conf'],['value',krb5conf],['required','false']])AdminConfig.
save()printCurrentJVMCustomProperties=prop=AdminConfig.
list('Property',jvmp)printprop#Main:#.
/wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Nameif(len(sys.
argv)!
=3):print"Thisscriptrequires3parameters"print"e.
g.
:.
/wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Name"else:cellName=sys.
argv[0]nodeName=sys.
argv[1]serverName=sys.
argv[2]print"cellName:"+cellNameprint"nodeName:"+nodeNameprint"serverName:"+serverNameprintconfigspnegojvm(cellName,nodeName,serverName)ConfiguretheAjaxproxyfortheLtpaTokencookieAddthefollowingpartintotheproxy-config.
tplfiletoconfiguretheAjaxproxytoproxyLtpaTokencookies.
Youcandothistaskwiththewsadminutilitytoextracttheconfigurationfilesfirst,addthefollowingcontent,andcheckintheconfiguration.
Youneedtorestarttheserverinstancestopickupthechanges.
Seelisting8.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage13of19Listing8.
proxy-config.
tplsettingsforAjaxproxyLtpaTokencookieJSESSIONIDLtpaTokenLtpaToken2ConfigureHTTPrewriterulestologouttoanunprotectedURISetURLrewriterulesintheIBMHTTPServerconfigurationfilenamedhttpd.
conftologouttoanunprotectedWebpage,sothatSPNEGOauthenticationdoesn'thappenagaintologintheuserautomatically.
Followthesesteps:1.
Openthehttpd.
conffileontheIBMHTTPServer,anduncommentthefollowinglines(removethe#):#LoadModulerewrite_modulemodules/mod_rewrite.
so2.
Thenaddthecodeshowninlisting9.
Listing9.
HTTPrewriterulesRewriteEngineOnRewriteCond%{REQUEST_URI}/(.
*)/ibm_security_logout(.
*)RewriteCond%{QUERY_STRING}!
=logoutExitPage=RewriteRule/(.
*)/ibm_security_logout(.
*)/$1/ibm_security_logoutlogoutExitPage=[noescape,L,R]whereistheunprotectedURLtowhichtheuserisredirectedafterlogout.
ItisanunprotectedURLtopreventSPNEGOauthentication.
BesuretoconfiguretheURLrewriteruleforbothHTTPandHTTPS.
ConfiguringtheclientbrowsertouseSPNEGOUsersneedtoconfiguretheirclientsbeforetheycanusetheLotusConnectionsservicesintheKerberosenvironment.
UserclientsystemtojointhedomainFirst,theuserclientsystemjoinsthedomain.
Theclientsystem'sDNSservervalueissetasthedomaincontrolleraddressintheTCP/IPPropertieswindowasshowninfigure8.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage14of19Figure8.
TCP/IPPropertiesontheclientsystemNext,followthelinkhttp://support.
microsoft.
com/kb/295017tojointhedomain.
.
Aftertheclientsuccessfullyjoinsthedomain,theadministratorofthedomaincontrollercanseethenewlyjoinedmemberintheActiveDirectoryUsersandComputersviewasshowninfigure9.
Figure9.
ComputerslistbelongstothespecificdomainUserclientbrowserconfigurationSecond,usersneedtoconfiguretheirclientbrowserstouseSPNEGO.
IfyouareusingMicrosoftInternetExplorer,followthesesteps:1.
IntheInternetExplorerwindow,selectTools-InternetOptions-Security.
2.
SelecttheLocalintraneticon,andclickSites.
3.
Inthewindowthatdisplays,clickAdvanced.
IntheAddthisWebsitetothezonefield,entertheWebaddressofthehostnamesothatsinglesign-on(SSO)canbeenabledtothelistofWebsitesshownintheWebsitesfield.
4.
ClickClose,andthenclickOKtocompletethisstepandclosetheLocalintranetwindow.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage15of19Figure10.
Localintranetsettings5.
InthesectionofthewidowtitledSecuritylevelforthiszone,clickCustomLevel.
IntheSecuritySettingswindowthatdisplays,scrolltoUserAuthentication-LogonandselecttheAutomaticlogononlyinIntranetzoneoption.
ClickOKtoclosetheSecuritySettingswindow.
Seefigure11.
Figure11.
SecuritysettingsforthelocalintranetzonedeveloperWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage16of196.
IntheInternetOptionswindow,clicktheAdvancedtabandscrolltoSecuritysettings.
MakesurethattheEnableIntegratedWindowsAuthentication(requiresrestart)optionisselected.
Seefigure12.
Figure12.
InternetOptionssetting7.
ClickOK.
RestartyourInternetExplorerbrowsertoactivatethisconfiguration.
IfyouareusingtheMozillaFirefoxbrowser,followthesesteps:1.
OpenFirefox.
2.
Intheaddressfield,enterabout:config.
3.
IntheFilterfield,enternetwork.
n.
4.
Doubleclick.
negotiate-auth.
trusted-uris.
ThispreferenceliststhesitesthatarepermittedtoengageinSPNEGOauthenticationwiththebrowser.
Enteracomma-delimitedlistoftrusteddomainsorURLs.
NOTE:Youmustsetthevaluefornetwork.
negotiate-auth.
trusted-urisasshowninfigure13.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage17of19Figure13.
MozillaFirefoxbrowsersetting5.
IfthedeployedSPNEGOsolutionusestheadvancedKerberosfeatureofcredentialdelegation,double-clicknetwork.
negotiate-auth.
delegation-uris.
Thispreferenceliststhesitesforwhichthebrowsercandelegateuserauthorizationtotheserver.
Enteracomma-delimitedlistoftrusteddomainsorURLs.
6.
ClickOK.
Theconfigurationdisplaysasupdated.
7.
RestartyourFirefoxbrowsertoactivatethisconfiguration.
AccessLotusConnectionswiththesinglesign-oncapabilityintheKerberosenvironmentAfteralltasksintheprecedingstepsarefinished,userscanstarttoexperienceLotusConnectionswithsinglesign-on.
Theyneedtologontotheirsystems,andtheywillnotbechallengedwhenusingLotusConnectionsfeatures.
Figure14isascreencapturetakenfromanactualdeployment.
UserAamir_000_000logsontohisWindowsclient(whichhasjoinedthedomaincontrolledbythedomaincontroller),openstheFirefoxbrowser,enterstheLotusConnectionshomepageaddress,andlogsontoLotusConnectionsautomatically.
Figure14.
AutomaticallyloadedLotusConnectionshomepagedeveloperWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage18of19TroubleshootingIfyouhaveanyproblemswhenusingLotusConnectionsintheSPNEGOenvironment,youcanenabletracingonSPENGOandKerberosusingthesesettings:JVMcustompropertysettingcom.
ibm.
security.
jgss.
debug=allcom.
ibm.
security.
krb5.
Krb5Debug=allLogsandtracesettingcom.
ibm.
ws.
security.
*=all:com.
ibm.
ws.
security.
spnego.
*=allConclusionThisarticleintroducedtheMicrosoftWindowssinglesign-onSPNEGOconceptandconfigurationsforLotusConnections2.
5,providingdetailedexplanationsforeachconfigurationstep.
Thesamplecodelistings,whichareusefulforautomatingsystemadministrationwork,inthearticlehavebeenverifiedbythesystemtestteam.
TheconfigurationstepscanalsobeappliedtootherWebapplications.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage19of19RelatedtopicsReadtheWebSphereApplicationServerInformationCenterarticle,"Creatingasinglesign-onforHTTPrequestsusingtheSPNEGOTAI.
"RefertotheKerberosUser'sGuide.
CopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)

Virmach($5.23/年)年付VPS闪购

每每进入第四季度,我们就可以看到各大云服务商的促销力度是一年中最大的。一来是年底的促销节日活动比较多,二来是商家希望最后一个季度冲刺业绩。这不还没有到第四季度,我们看到有些商家已经蠢蠢欲动的开始筹备活动。比如素有低价VPS收割机之称的Virmach商家居然还没有到黑色星期五就有发布黑五促销活动。Virmach 商家有十多个数据中心,价格是便宜的,但是机器稳定性和速度肯定我们也是有数的,要不这么低的...

Boomer.host:$4.95/年-512MB/5GB/500GB/德克萨斯州(休斯顿)

部落曾经在去年分享过一次Boomer.host的信息,商家自述始于2018年,提供基于OpenVZ架构的VPS主机,配置不高价格较低。最近,主机商又在LET发了几款特价年付主机促销,最低每年仅4.95美元起,有独立IPv4+IPv6,开设在德克萨斯州休斯顿机房。下面列出几款VPS主机配置信息。CPU:1core内存:512MB硬盘:5G SSD流量:500GB/500Mbps架构:KVMIP/面板...

pacificrack:VPS降价,SSD价格下降

之前几个月由于CHIA挖矿导致全球固态硬盘的价格疯涨,如今硬盘挖矿基本上已死,硬盘的价格基本上恢复到常规价位,所以,pacificrack决定对全系Cloud server进行价格调整,降幅较大,“如果您是老用户,请通过续费管理或升级套餐,获取同步到最新的定价”。官方网站:https://pacificrack.com支持PayPal、支付宝等方式付款VPS特征:基于KVM虚拟,纯SSD raid...

rewritecond为你推荐
域名注册网站免费域名申请ip代理地址IP代理什么意思?域名备案域名需要备案吗?国外网站空间怎么查看一个网站的空间是在国内还是在国外啊?100m虚拟主机一般100-200M虚拟主机一天最多支持多少人访问啊?上海虚拟主机上海虚拟主机哪家好啊?虚拟主机试用购买虚拟主机为什么商家会让你试用和测试?中文域名中文域名的概念?百度域名百度 有没有 其他的域名啊万网域名查询万网域名证书查询去那里啊?/
免费com域名申请 工信部域名备案系统 linkcloud 日志分析软件 新世界电讯 双11抢红包攻略 好看的桌面背景大图 商家促销 日本空间 ca4249 我爱水煮鱼 100m空间 流量计费 tna官网 亚马逊香港官网 服务器合租 最好的qq空间 服务器监测 空间登录首页 海外空间 更多