I have been asked to implement seamless SSO authentication against active directory for a weblogic web based application.
After loads of testing and experimentation I have managed to get all the chain working as required.
Users logging in from a windows managed PC and using IE can seamlessly login to the web application.
After that, an apache was configured and installed between the web browser and weblogic in order to perform HTTPS-->HTTP termination. Once this was done the browser stopped performing seamless login - though basic authentication did work;
Investigating further, I noticed that the Authorization header was not forwarded across to weblogic which justifies why the authentication does not take place.
Note that the apache server I am using is 2.2.
Does anybody know if apache explicitly removes the Authorization header? I have also tried increasing the request maximum size to 30KB in case that was the problem
Thank you
We need to install the following package.
apt-get install libapache-mod-auth-kerb
First we have copy the HTTP.keytab (which is generated at "Active Directory") to etc/krb5.keytab like as below.
cp /root/HTTP.keytab /etc/krb5.keytab
Next we will have to give proper permissions.
chown www-data:www-data /etc/krb5.keytab
chmod 400 /etc/krb5.keytab
Next we go to Apache virtual hosts path
vi /etc/apache2/sites-available/default
Add one directory as like below
`<Directory />
AuthName "Kerberos Login"
AuthType Kerberos
Krb5Keytab /etc/krb5.keytab
KrbServiceName HTTP
KrbAuthRealm YOURDOMAIN.LOCAL //It is Domain name of your server
KrbMethodNegotiate on
KrbSaveCredentials on
KrbVerifyKDC on
Require valid-user
</Directory>`
Restart Apache web server
/etc/init.d/apache2 restart
Next go to browser of Active Directory client machine and hit the web server with FQDN of apache server. It will not ask you the password to open that website.
NOTE:
For explorer browser we need set automatic logon with user name and password at security tab
user authentication -> logon -> automatic logon with user name and password
If you found any difficulties please update me.
Related
I want to automatically authenticate, 'active directory users', which are logged in to their windows, in my applications.
in short, i want SSO for my applications using windows credentials.
**Client is React and back-end is Java 8 and Spring 4.1.2 and Spring Security is 3.2.5.
I already authenticate and search 'active directory users' in my applications, using spring LDAP 3.2.5.
but users should submit their username and password when they use browser.
I have read about 'Integrated Windows Authentication' (IWA), 'Kerberos', 'NTLM'.
should I use NTLM instead of LDAP ???
or, should I use Kerberos ???
or, should I use ADFS ???
should I config anything in active directory for that ???
**I cant config anything in active directory
should I get windows credentials programmatically in react and send it to server and from server I should send that credentials to active directory to verify it ???
I don't know but, should I say any thing in my 'HTTP response' to 'HTTP OPTION Request' to force browser to set windows credentials in next request ??
and, thanks for your time.
There are a couple ways to do this:
Windows Authentication
This is best for the user as it is a seamless login. If the website is trusted, then the browser will automatically send the credentials of the currently-logged-on user to the site.
In this case, the web server (Tomcat in this case) handles the authentication and passes the credentials to the application. If you were using IIS and Windows, the setup would be super easy. But with Tomcat on Linux, it's a little harder. You need to setup kerberos, which requires setting up SPN (Service Principal Name) values on the domain so that your server is trusted on your domain to authenticate. The full instructions for setting this up in Tomcat 8 are here: Windows Authentication How-To
Once that is setup, your website needs to be trusted by the browsers. If your site is recognized as an intranet site, then this should already be true. If not, then your site's domain needs to be added to the Trusted Sites in the Internet Options on the client computers. This can also be done via Group Policy. That will work for IE and Chrome. Firefox uses its own network.negotiate-auth.delegation-uris setting.
Forms Authentication
Another way is to use a login page to ask the user for their username and password, then authenticate them via LDAP in your Java application code. I will assume you know how to setup a login page, so you just need to know how to verify the credentials. You can use the answer here for that code. That answer has the code in a console app, but you can pull out the code that takes the username and password and verifies it.
This is arguably easier to setup, but at the cost to the user.
Recently we started to upgrade our clients from Java 6u31 to 8u121.
Here we see an impact on our internal web application written in Java.
Client(s) connects to a web-server which has the JNLP and JARs locally.
However now with the new Java 8u121 we get a pop-up from java : Authentication required.
We can click on cancel and the Java app will load but this is not acceptable for our users.
Is this a Java problem or a Proxy problem?
We started to do a trace with wire-shark to see what happens when the Java pop-up "authentication required" occurs. Here we could see that our proxy server blocks a global-sign site to validate a certificate. Here we made an exception for that site. Now we have no issue anymore and the pop-up is not occurring anymore.
You can prevent that authentication window by setting the property deployment.security.authenticator value to false in the deployment.properties
Normally Plug-in and Web Start install an Authenticator to handle
communication with Authenticating web pages or Authenticating proxies.
This is the default behavior (true). This option can be used to turn
the normal behavior off if, for example, an application communicates
directly with an authenticating web page and needs to install its own
Authenticator.
Location of the deployment.properties
in Windows - \LocalLow\Sun\Java\Deployment\deployment.properties
in Linux - ${user.home}/.java/deployment/deployment.properties
in OS X - ~/Library/Application Support/Oracle/Java/Deployment/deployment.properties
Im implemeting an SSO login feature for an application. Problem is that tomcat server need to be installed on linux or windows - so i cannt use waffle.
I also dont want to use kerberos because i can't enforce client to generate keytab files and also application runs sometimes on localhost or intranet - SPN name is different for this case. Next problem is that i cant modify Active Directory structure (add new computer user etc.).
Finally i think that i should use NTLM to negotiate access to application. Is it right ?
Is there any library like waffle which can let tomcat to handle negotiate ? Or is there other way to do that ?
I am building a small Java (servlet) authentication web application that will be running on Tomcat. The application will authenticate a user and then redirect the user to another web application (on a different server). The problem is that after the user authenticates I need to somehow tell Apache that this session is authenticated and that Apache should redirect (using RewriteRules) the http request to the target web application (and not the one for authentication).
According to my research I have 3 options:
1. After authentication success I redirect to a URL that tells Apache that this session is authenticated (using RewriteRules). I can store this information in Cookie (issue: security) or Apache Environment Variables (issue: clearing inactive Environment variables ...).
2. Use a apache mod for storing sessions in to a database. On auth success I update the database with Java app, apache redirects all requests to target URL (issue: DB access load (up to 500 active concurent users)).
3. HTTP tunneling. But this means that every request for target application is going through my authentication application (issue: redundant, slow, ...)
Is there another way to do this?
What would be the best way to do this?
Thanks a bunch.
A few ways of doing this,
If you can afford an enterprise solution, go with Oracle Identity
Management / Oracle Access Management. It will redirect to a login
page, once login is successful and the right cookie has been added,
all future requests will get a header injected in their requests on
the internal side. Your internal app can key in on the header and
confirm that the user has logged in. To do development, you can run
the secure app without OIM/OAM by using Firefox ModifyHeaders
plugin.
If you cannot afford an enterprise solution, go with OpenIAM, it
does the same thing but at a small scale without reporting and high-availability features.
There might be a third of doing this, but I've never tried it, that
would be by using Apache's authentication modules (or a combination
of them), like http://authmemcookie.sourceforge.net/, or
http://httpd.apache.org/docs/trunk/mod/mod_session.html
Good luck!
How can I retrieve the credentials for the currently logged-in Windows user that accessing my web application in java
From a standalone application, I can access the user id of a logged-in window user using
com.sun.security.auth.module.NTSystem NTSystem = new com.sun.security.auth.module.NTSystem();
System.out.println(NTSystem.getName());
However, this will not work for web app, since it will always print out the id of the user that running Tomcat, not the id of the user who accessing the web application
I see this being done before, that if I access a website via IE, it automatically log me in, but I use other browser, then a log-in box pop out. Any idea how to achieve this, thank you?
My web app is written in JSF with Tomcat 7.
You need to use a library that can receive the Kerberos token that IE will sent (assuming that it is configured with Integrated Windows Authentication).
There are multiple approaches/libraries to doing this, which are well documented on Apache's site for Tomcat. Here you go: http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
You have some different options to achieve this. Tomcat has some suggestions on their homepage. I've used both IIS fronting and the spring-security kerberos extension and they work just fine.