118 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
Failover cookies do not have to be implemented in an environment with a
Session Management Server since the failover cookie takes responsibility for
maintaining a user session.
4.3.5 Authentication with RSA SecurID token
Access Manager supports authentication of clients using user name and token
pass code information from an RSA SecurID token authenticator (TAR), a
physical device that stores and dynamically generates a piece of authentication
data (a token).
The TAR is used in tandem with an authentication server (the RSA ACE/Server),
which actually performs the authentication. During authentication to WebSEAL,
the client enters a user name and pass code. The pass code consists of:
The unique PIN number associated with the client’s SecurID TAR
The current number sequence generated by the SecurID TAR
The Ace/Server uses its own registry database to determine the PIN that the
user should be using, checks it, and strips it off of the pass code. It then checks
the remaining number sequence against its own internally generated number
sequence. A matching number sequence completes the authentication.
At this point, the role of the token passcode authentication is complete. The
token passcode authentication does not perform identity mapping, but simply
returns to WebSEAL an Access Manager identity containing the user name of
the client. This user name must match a user ID stored in the Access Manager
4.3.6 Windows desktop single sign-on (SPNEGO)
Before describing Windows desktop single sign-on, there are some important
security considerations to point out:
In order for Microsoft Internet Explorer (IE) to be able to use the integrated
Windows authentication, it must recognize the Access Manager server as an
Intranet or Trusted site. The Internet Explorer client must be configured to use
the SPNEGO protocol and Kerberos authentication when contacting
WebSEAL or the Web Server Plug-in.
WebSEAL or the Web Server Plug-in must be able to access Active Directory
as its Kerberos Key Distribution Center (KDC). This may expose Active
Directory to new networks.
Therefore, it is important to only use SPNEGO authentication over a secure
network or over a secure transport. WebSEAL and the Web Server Plug-in
support the SPNEGO (Simple and Protected GSS-API Negotiation) protocol and