Assign the Service Principal Name and Create the Key File on WebSphere

Map the User Id for WebSphere Application Server to the Kerberos Service Principal Name (SPN) and create a key file that WebSphere can use to log into the domain.

  1. On the Active Directory domain controller machine, log in as an administrator.
  2. Open an administrator command prompt.
  3. Important: Perform this step for one user only.

    Type the following to map the user:

    setspn.exe -A HTTP/LSF10.lawson.com wasLSF10

    where

    LSF10.lawson.com is the fully-qualified domain name of your Websphere server.

    wasLSF10 is the name of your WebSphere user for Kerberos authentication

    When this message appears, the user has been successfully mapped.

    Registering ServicePrincipalNames for CN=wasLSF10,CN=Users,DC=lawson,DC=com HTTP/LSF10.lawson.com
    Updated object
  4. The setspn command you just ran creates a new "Delegation" tab for the wasServer user.

    Make sure the "Trust this user for delegation to any service (Kerberos only)" radio button has been selected on this new "Delegation" tab for the wasServer user.

  5. Type the following to create the key file:
    
                ktpass -out c:\temp\LSF10.keytab -princ HTTP/LSF10.lawson.com@LAWSON.COM 
    -mapUser wasLSF10 -mapOp set -pass Password -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
              

    where

    LSF10 is the machine name of your WebSphere server.

    LSF10.lawson.com is the fully-qualified domain name for the WebSphere server.

    LAWSON.COM is the Kerberos realm.

    wasLSF10 is the name of your WebSphere user for Kerberos authentication.

    Password is the password for the WebSphere user for Kerberos authentication.

    The c:\temp\LSF10.keytab file will be created on your Active Directory server.