Using the SPNEGO Policy
Learn how to use the SPNEGO policy to authenticate a downstream service.
Supported Platforms: 7.1, 7.2, 8.0
Table of Contents
The SPNEGO policy is an Operational policy that implements the Microsoft-authored SPNEGO WS-Policy assertion (see http://msdn.microsoft.com/en-us/library/ee525179.aspx). It states the requirement of supporting the SPNEGO Negotiate authenticate scheme.
Not all services and their consumers can support both the NTLM and Kerberos options for SPNEGO. It is only required that both parties support at least one option in common. For example:
- Intermediary for Microsoft (IMS) can support both.
- Network Director can only support the Kerberos option.
The subject category of the identity used in the negotiation is End-User and is not configurable.
Let's take a quick walkthrough of the SPNEGO Policy configuration process to get you started.
Step 1: Add Policy / Use System Policy
- In Policy Manager, to create an SPNEGO Policy instance, go to Policies > Operational Policies and choose Add Policy.
Note: The SPNEGO Policy does not require any configuration.
Step 2: Attach Policy
After you've saved your policy, you can attach it to a downstream web service or operation that you would like to capture roll-up data for.
Step 3: Test Policy and View Monitoring Data
After you've attached the SPNEGO Policy to a service or operation, send a request to your service and go to the Services > Monitoring section to view the results for Logs, Real Time Charts, and Historical Charts. For more information on using the monitoring functions, refer to the Policy Manager Online Help, available via the Help button.