WebSphere Application Server Cluster : SPNEGO TAI : SSO

Active Directory

Create SPN
setspn -A HTTP/wasserver.private.lan ad-svc-spn

Check SPN
setspn –L ad-svc-spn

Generate keytab
Ktpass –princ HTTP/wasserver.private.lan@ad-domain -out c: keytab.file –mapuser ad-svc-spn –mapOp set –pass Password

WebSphere Application Server

Infocenter SPNEGO TAI

enable TAI
custom roperties



JVM settings
set server1 [$AdminConfig getid /Cell:QCell/Node:Q1N/Server:server1/]
set jvm [$AdminConfig list JavaVirtualMachine $server1]
set cjvm [lindex $jvm 0]
set attr_name [list name]
set attr_value [list value true]
set attr_required [list required false]
set attr_description [list description “Enabled SPNEGO TAI”]
set attrs [list $attr_name $attr_value $attr_required $attr_description]
$AdminConfig create Property $cjvm $attrs
$AdminConfig save
$AdminTask createKrbConfigFile {-krbPath c:winntkrb5.ini -realm I-ad-domain -kdcHost kdchost.private.lan -kdcPort 88 -dns dns.private.lan -keytabPath c:winntkrb5.keytab -encryption rc4-hmac-nt}
$AdminConfig save


Copy c:winntkrb5.keytab from dmgr to clustermembers

Note: If you don’t use the default location and Kerberos configuration file name, then you have to update *.krb5ConfigFileproperties in the soap.client.prop, ipc.client.props and sas.client.props files. Also, if the client programmatic login uses the WSKRBLogin module, you must also set the property.