Connections 5 SPNEGO Confusion - Dogs & Cats Living Together!

I have been working on a PMR for Connections 5 trying to configure SPNEGO , foolishly as it turns out using the IBM Connections 5 Knowledge Center.  I have just finished a 3hr screenshare with WebSphere security support who started the call asking why on earth I was configuring it the way I was.  When I showed them the documentation on the Knowledge Center for configuring SPNEGO I was asked “why are the Connections team saying to do that, that will never work”. Imagine my joy having spent nearly 2 days working on it before opening a PMR.

They are going to fix the knowledge center documentation hopefully but in the meantime this handy dandy little screenshot should help you

The incorrect documentation (and hopefully it will be fixed before you even click on it) is here

In addition the WebSphere security team disagree with the Connections team on creating a keytab for the IHS server only in any circumstances which this document says to do

Finally they also disagree on requiring the connectionsAdmin account to be the one that is used to start Windows services which may be a bad use of wording on this document here (See item 6).   They have advised that as far as SPNEGO is concerned any AD account would do.

They have also advised that you should make sure there are no other SPNs for that hostname floating about (I don’t have visibility of AD but it’s one for the customer to check)

I have asked for definitive documentation from the Connections and Websphere teams on how they want this configured before moving forward