Cross-realm authentication for SPNEGO SSO in ELM

An ELM user can connect to IBM® WebSphere® Application Server in one Microsoft Active Directory domain while the user is registered in another Active Directory domain.

In cross-realm authentication, client users in one realm use Kerberos to authenticate to services that are running on a server in a different realm. This type of cross-realm authentication works only if the Active Directory domain controllers have a trust relationship. For more information, see Multiple Microsoft Active Directory domain controllers for Kerberos SSO in ELM.

For ELM web clients, no additional configuration is needed for cross-realm authentication. However, these clients do require some configuration to authenticate by using SPNEGO. For more information, see Web client configuration for SPNEGO SSO in ELM.

For ELM Eclipse clients that are based on the IBM JRE, the user must update the Kerberos configuration file (krb5.ini or krb5.conf, or a custom configuration file) to include the domain that hosts WebSphere Application Server and the domain that hosts the user. Either domain can be designated as the default realm.

For example, in the following client configuration file, WebSphere Application Server is registered with the REALM.NAME1 domain and users are registered with the REALM.NAME2 domain. REALM.NAME1 is specified as the default realm.
    default_realm = REALM.NAME1
    REALM.NAME1 = {
        kdc =
        default_domain = my.domain1
    REALM.NAME2 = {
        kdc =
        default_domain = my.domain2
    .my.domain1 = REALM.NAME1
    .my.domain2 = REALM.NAME2

video icon Video channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community forums library

support icon Support

IBM Support Community
Deployment wiki