It seems the last few weeks I’ve been putting out fires around usage of SPNEGO in a IBM Websphere deployment troubleshooting authentication errors. It turns out it was a mix of header size issues on the web server (IHS – IBM’s branded Apache) and client related problems on the desktop. Though it is interesting to me that IBM’s SPNEGO implementation doesn’t support using NTLM with the NEGOTIATE header, so it dumps users who fail on Kerberos. I wonder if their SPNEGO implementation is RFC 4559 compliant if it doesn’t support NTLM?
While I am a full supporter of using Kerberos over NTLM, I know the limitations and client side issues that could cause Kerberos to fail, and leaving the end user with a bad experience. I would think a company like IBM would take this into account when providing solutions to large enterprises who may experience some of these client side issues. It may not be the direct fault of Websphere, but the perception will be that Websphere doesn’t integrate within the environment. Can this organization be the only one feeling this pain and have the need to provide fallback to NTLM? Or could it be that IBM has not deployed a similar solution in a large enterprise to experience the same issues?
IBM is a large company focused on enterprises, who touts themselves as solution leader, yet it seems much of their solutions really cater to the lowest common denominator approach. It might integrate on some level, but certainly it doesn’t integrate well into complex environments. Yes it appears I am jaded, but that is only through experiences I assure you with struggled with several IBM/Lotus products (Websphere, Sametime, Lotus Notes, Domino, Quickplace, etc.) around integration.
I’d really like to hear some of the success stories and case studies of integrating these products in multi-forest/multi-domain environments, because so far I have not found any.
Anyway, here are some good articles on using IIS and Kerberos I came across for those curious how it all works together:
- IIS and Kerberos Part 1 – What is Kerberos and how does it work?
- IIS and Kerberos Part 2 – What are Service Principal Names?
- IIS and Kerberos Part 3 - A simple scenario
- IIS and Kerberos Part 4 – A simple delegation scenario
- IIS and Kerberos Part 5 – Procotol Transition, Constrained Delegation, S4U2S and S4U2P