424 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
11.4 Validating single sign-on using the SPNEGO TAI
In this section we validate the single sign-on scenario between a Windows
workstation.
Using the user workstation, log on to the Windows Active Directory domain. We
use the Valence user ID in our configuration. This user ID exists both in Active
Directory and in RACF.
Using the kerbtray.exe utility, it is possible to see the Kerberos tickets acquired
by the user. The kerbtray.exe utility is available from the Windows Server 2003
Resource Kit Tools. Right after logon, we can verify that the workstation obtained
the ticket granting ticket from the Windows KDC.
This TGT is named krbtgt/KKDC.TEST.COM in our example (Figure 11-17).
Figure 11-17 User Kerberos tickets after logon
Launch a Web browser such as Microsoft Internet Explorer. Enter the URL
address of the application that you want to single sign-on with. We use the
WebSphere embedded snoop servlet in our example at the following address:
http://wtsc58a.kkdc.test.com:49080/snoop/
When security is on with WebSphere, the embedded snoop servlet asks for
authentication. Because we use the SPNEGO TAI, because we configured the
Chapter 11. SPNEGO and Windows single sign-on 425
browser accordingly, because the Windows KDC, the browser asks the KDC for
a Service Ticket to use the HTTP service with wtsc58a. Then the browser sends
the HTTP request including a SPNEGO token with the user identity (Valence) to
WebSphere Application Server for z/OS.
The detailed communication steps are described in the scenario description
shown in Figure 11-4 on page 402.
Figure 11-18 Internet Explorer Snoop servlet display
The browser displays the snoop servlet, which shows the authenticated user.
The WebSphere authenticated user (Valence) is the Windows domain
authenticated user. Single sign-on occurred between the Windows domain and
WebSphere Application Server for z/OS using the SPNEGO TAI.
426 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
The same behavior happens with another Web browser such as Mozilla Firefox,
as shown on Figure 11-19.
Figure 11-19 Mozilla Firefox Snoop servlet display
The WebSphere for z/OS servant region log confirms this scenario, shows that
the SPNEGO token is processed, and highlights the authenticated user.
Example 11-6 shows this log.
Example 11-6 WebSphere z/OS servant region log with traces on
Trace: 2006/11/16 14:26:31.280 01 t=8C7718 c=UNK key=P8 (13007002)
ThreadId: 00000029
FunctionName: handleRequest
SourceId: com.ibm.ws.security.spnego.SpnegoHandler
Category: FINER
ExtendedMessage: SPNEGO request token successfully processed.
Trace: 2006/11/16 14:26:31.281 01 t=8C7718 c=UNK key=P8 (13007002)
ThreadId: 00000029
FunctionName: handleRequest
SourceId: com.ibm.ws.security.spnego.SpnegoHandler
Category: INFO
ExtendedMessage: CWSPN0023I: Username VALENCE@KKDC.TEST.COM Token
size 1662.
Trace: 2006/11/16 14:26:31.282 01 t=8C7718 c=UNK key=P8 (13007002)
ThreadId: 00000029
Chapter 11. SPNEGO and Windows single sign-on 427
FunctionName: trimUsername
SourceId: com.ibm.ws.security.spnego.SpnegoHandler
Category: FINER
ExtendedMessage: Principal name was trimmed to: VALENCE
Trace: 2006/11/16 14:26:31.283 01 t=8C7718 c=UNK key=P8 (13007002)
ThreadId: 00000029
FunctionName: negotiateValidateandEstablishTrust
SourceId: com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl
Category: FINER
ExtendedMessage: Authenticated user: VALENCE Subject: Subject:
Principal: VALENCE@KKDC.TEST.COM
It is also interesting to look at the Kerberos tickets acquired by the user
workstation after running the HTTP request. Using the kerbtray.exe utility, it is
possible to see the Kerberos tickets acquired by the user. The kerbtray.exe utility
is available from the Windows Server 2003 Resource Kit Tools. This utility shows
that the user obtained a service ticket to access the WebSphere for z/OS
kerberized service.
This ST is named HTTP/wtsc58a.kkdc.test.com in our example (Figure 11-20).
Figure 11-20 User Kerberos tickets after HTTP request
428 Security in WebSphere Application Server Version 6.1 and J2EE 1.4 on z/OS
We use Ethereal software to sniff the network and see the communication flows
between the user workstation and the other parties. It shows the first
unauthorized HTTP request to WebSphere, then the service ticket request to the
ticket granting server (TGS-REQ and TGS-REP) and the single sign-on HTTP
request to WebSphere. Figure 11-21 shows the communications from the user
workstation.
Figure 11-21 Etheral output showing single sign-on steps
All this validates the scenario described in Figure 11-4 on page 402 and confirms
the single sign-on between the Windows domain and WebSphere Application
Server for z/OS.

Get Security in WebSphere Application Server V6.1 and J2EE 1.4 on z/OS now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.