Configure SPNEGO authentication on Active Directory
ExoPortal allows possibility to use SSO (Single Sign On) with Kerberos authentication on Active Directory. To install this functionality, some configuration is needed, on the Active Directory server and on the application server. In this example, we supposed that complete name of machine on which Tomcat server runs is ubu.exoua-int, and it's runs on the Linux host (Ubuntu 7.04). This machine must be in Windows domain. How to do it read in Samba HOWTO. Our implementation give possibility use SPNEGO or NTLM (some times this two terms can be mixed, but here we will try separate it). Client will get two authentication header 'Negotiate' and 'NTLM' and will use supported by client (browser). In Firefox it is possible to manage type of authentication, in IE it it not possible. In this HOWTO will be described how to make configuration to support both of authentication type. In fact for IE SPNEGO will work. Active Directory configuration : On the AD server, we need to create a Kerberos identification for Tomcat Server :- Create a user account for the host computer on which Tomcat Server runs in the Active Directory server. (Select New > User, not New > Machine.)
When creating the two user accounts, use the simple name of the computer, and I recommend give names as next pattern host_host-name and http_host-name. First account will be used for LDAP connection, second one will be used for authentication service via HTTP. For example, if the host name is ubu.exoua-int, create a users in Active Directory called host_ubu and http_ubu.
Note the password you defined when creating the user account. You will need it in step 3. Do not select the "User must change password at next login" option, or any other password options.2. Configure the new user account to comply with the Kerberos protocol.
- Right-click the name of the user account in the Users tree in the left pane and select Properties.
3. Generate keys for service.
- NOTE Make sure the box "Use DES encryption types for this account" is unchecked. Also make sure no other boxes are checked, particularly the box "Do not require Kerberos pre-authentication."
- Setting the encryption type may corrupt the password. Therefore, you should reset the user password by right-clicking the name of the user account, selecting Reset Password, and re-entering the same password specified earlier.
C:\> ktpass -princ host/ubu.exoua-int@EXOUA-INT -mapuser host_ubu@EXOUA-INT -crypto RC4-HMAC-NT \ -ptype KRB5_NT_PRINCIPAL -mapop set -pass 123456 -out c:\host_ubu.keytab C:\> ktpass -princ HTTP/ubu.exoua-int@EXOUA-INT -mapuser http_ubu@EXOUA-INT -crypto RC4-HMAC-NT \ -ptype KRB5_NT_PRINCIPAL -mapop set -pass 123456 -out c:\http_ubu.keytab
C:\> setspn -A host/ubu.exoua-int host_ubu C:\> setspn -A HTTP/ubu.exoua-int http_ubu
C:\> setspn -L host_ubu
NOTE This is an important step. If the same service is linked to a different account in the Active Directory server, the client will not send a Kerberos ticket to the server. If filter will be used secure-constraint must be removed from web.xml6. Configuration on Linux host. This is example of file /etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = EXOUA-INT default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac [realms] EXOUA-INT = { kdc = test01-srv.exoua-int:88 admin_server = test01-srv.exoua-int:749 default_domain = EXOUA-INT } [domain_real] .exoua-int = EXOUA-INT exoua-int = EXOUA-INT [kdc] profile = /etc/kdc.conf [pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
andrew@ubu:~$ ktutil ktutil: rkt host_ubu.keytab ktutil: wkt host.keytab ktutil: rkt http_ubu.keytab ktutil: wkt http.keytab
- Deploy an exo-tomcat, and copy the jar for SSO in lib folder and change configuration.xml file to your network settings :
<configuration>
<component>
<key>org.exoplatform.services.security.sso.config.SSOConfigurator</key>
<type>org.exoplatform.services.security.sso.config.SSOConfigurator</type>
<init-params>
<properties-param>
<name>sso-properties</name>
<property name="charset" value="UnicodeLittleUnmarked" />
<property name="domain" value="EXOUA-INT" />
<property name="jaas-context" value="krb5.ldap-action" />
<property name="ldap-server" value="ldap://test01-srv.exoua-int:389/" />
<!--
**********************************************************
Default cross domain authentication is disabled.
NOTE: This is actual for NTLM only.
For SPNEGO cross domain authentication is disabled by default.
There is some more work to enable it for SPNEGO.
**********************************************************
-->
<!--
<property name="cross-domain" value="true" />
-->
<!--
<property name="redirect-on-error" value="http://google.com" />
-->
</properties-param>
</init-params>
</component><Context path='/portal' docBase='portal' debug='0' reloadable='true' crossContext='true'> <Logger className='org.apache.catalina.logger.SystemOutLogger' prefix='localhost_portal_log.' suffix='.txt' timestamp='true'/> <Manager className='org.apache.catalina.session.PersistentManager' saveOnRestart='false'/> <!-- <Realm className='org.apache.catalina.realm.JAASRealm' appName='exo-domain' userClassNames='org.exoplatform.services.security.jaas.UserPrincipal' roleClassNames='org.exoplatform.services.security.jaas.RolePrincipal' debug='0' cache='false'/> <Valve className='org.apache.catalina.authenticator.FormAuthenticator' characterEncoding='UTF-8'/> --> <Valve className="org.exoplatform.services.security.sso.tomcat.SSOAuthenticatorValve"/> </Context>
<security-role>
<description>a simple user role</description>
<role-name>users</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>portal</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
keyTab = "/home/andrew/http.keytab"
useKeyTab = true
storeKey = true
principal = "HTTP/ubu.exoua-int@EXOUA-INT"
doNotPrompt = true
realm = "EXOUA-INT"
refreshKrb5Config = true
debug = false
;
};
krb5.ldap-action {
com.sun.security.auth.module.Krb5LoginModule required
keyTab = "/home/andrew/host.keytab"
useKeyTab = true
storeKey = true
principal = "host/ubu.exoua-int@EXOUA-INT"
doNotPrompt = true
realm = "EXOUA-INT"
refreshKrb5Config = true
debug = false
;
};KERBEROS="-Djavax.security.auth.useSubjectCredsOnly=false \ -Djava.security.krb5.kdc=test01-srv.exoua-int \ -Djava.security.krb5.realm=EXOUA-INT" JAVA_OPTS="$YOURKIT_PROFILE_OPTION $JAVA_OPTS $LOG_OPTS $SECURITY_OPTS $EXO_OPTS $EXO_CONFIG_OPTS $KERBEROS"
on 23/07/2008 at 14:00