Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
i am trying to created a JAVA program that will get my windows users credentials, then connect to the kerberos on my unix box and authenticate and allow me to use a service, for an example an LDAP server.
All examples i have found tend to on run ask me for my password, i do not want this - I wish to be able to run the program and 'if by magic' im kerberos authenticated.
Any links and example are appreciated.
We have successfully setup SSO using Kerberos with a Java EE application and authenticating against a Windows Active Directory after many weeks of trials and web crawling.
JBOSS Negotiation and Spring Kerberos have both worked for us. However, both sets of documentation are not accurate enough to get you off the ground running. Put simple for either solution...
Create Service User in Active Directory.
Use ktpass to create a keytab file for this user. (Many gotchas with ktpass as listed below)
Use setspn -A to fix ktpass.
Ensure your krb5.conf (linux) or krb5.ini (windows) is correct.
Ensure you are not running the client on the same box as a server.
Ensure your times are in sync across your domain.
Test Kerberos using kinit in the JDK.
Configure your web application to delegate authentication via the provided filter.
Configure an XML file to use the appropriate service principal user as created initially.
Run your service as the principal user!!!!!!!!!
If using Spring, you can then implement a UserDetailsService to query LDAP (active directory) and set roles on the user principal.
From within your application the user principal should !=null.
ktpass problems:
Ensure your service user is set to user cannot change password in Active Directory.
Ensure you provide the password in the command line.
Ensure that you can still open a command prompt as that user after generating the keytab.
Ensure you specify the KRB5_NT_PRINCIPAL.
Format should be ktpass /out c:\service.keytab /mapuser userservice#TESTDOMAIN.SERVER.COM /princ HTTP/hostname#TESTDOMAIN.SERVER.COM /pass /ptype KRB5_NT_PRINCIPAL
Add the fully qualified service principal using setspn -A as follows:
setspn –A HTTP/hostname.testdomain.server.com userservice
DO NOT RESET THE SERVICE PRINCIPAL USERS PASSWORD (You will have to regenerate your keytab).
Finally, before every single test, use kinit purge to clear cached tickets.
Also, duplicate SPN's will break things badly! setspn -X in windows server 2008 will detect this (or google for script), if in doubt when doing this, start afresh with new service user and principal name every time!
Hope this helps someone avoid the pain I've had.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 years ago.
Improve this question
I have multiple java web applications all having their login functionalities. I want to apply SSO(Single Sign On) on them irrespective by any method.
I have spent last 2 days on finding a solution to it, but I have no result.
Please anyone can help me on that.
My requirement is:
1.If user logs onto a single application he would be automatically logged onto other applications.
Sorry for my English and Thanks in advance.
If applications are in a Windows intranet and use windows logins, Waffle will do the job. Otherwise develop your own simple ticket granting service to provide SSO among your applications.
Update:
All of your apps have to have filters. Filter sends the session/cookie data(if available) in order to verify, to your SSO service whether the incoming request with the principle is already granted or not. If the session or cookie is not associateed with a ticket, then you redirect to the login page. If the request is about to login, then filter sends them in to SSO service, verify user and password with your database, and add an entry to SSO MAP, saying "this user just logged in". So it will send a ticket for that login. Ticket means just a random generated id. If the SSO service could not able to validate the user, then no entry will be there in the SSO MAP and will send failure error to your filter.
So your user validation goes in to a separate service which I just named as SSO service.
You will have to remove idle entries from SSO MAP.
Read about how SSO works, you will understand.
I have two applications. One is running on IIS and second is on Tomcat. Both the applications are authenticating users through active directory. Currently users have to provide their domain, username and password in both the application separately in order to use them.
What I want is - if user logs in Tomcat application using AD details then we will show a button in the application which will open our IIS application in other tab of browser (already done) and in that IIS application this user don't need to login using AD details again (it should be logged in automatically). As he has already used same account to login in another application (Tomcat application).
Is this possible? if yes, please tell me how can I achieve this.
You want Kerberos. Builtin into IIS, Available for Tomcat: http://tomcatspnegoad.sourceforge.net/ (Yes, I am the author of that and it works great in multidomain environment.)
Best to think along some slightly different lines than you currently do:
Attempt to authenticate both Tomcat as well as IIS to a common SSO system - rather than just from one to the other. SSO systems are specifically made to allow this. Neat side effect is that these systems are single-purpose, relatively easy to monitor/protect and they'll be the only ones in touch with your passwords - no application that is using SSO for sign-on needs to know any user's password. So you can't loose any password.
Whatever route you go (Michael-O has suggested Kerberos, I'm not recommending any specific product or protocol), don't try to provide one system's password to the other system. This would inherently introduce security issues.
I need to develop a web application for the Intranet users. I don't want them to enter the login credentials each time they visit the site. It should be automatically loaded from the System Username and Password.
I have successfully implemented functionality which prompt user name and password registered with active directory and validate against LDAP. I need some tips to login directly from intranet website without prompt username & password.
Here is my queries, please let me know your suggestion.
Is it compulsory to set SPN?
Do we need to create separate keytab file for each client? In my organization, there is around 800 people are working so should I need to add all client principal in keytab file & copy to client machine to perform autologin.
I have tried many API's like JESSO, Waffle, Spring Kerberos, SPNGO but failed to implement auto login.
If you want to use Kerberos/SPNEGO (which would be my recommendation) you do have to set up SPN. And you only need one keytab for AD domain. Are you running your Java program on some app server, like Weblogic, or as a standalone program? Servers do have security framework that you could use, while for standalone program you'd have to do a bunch of stuff manually.
I've found that the easiest way to do this is to use Atlassian's Crowd (https://www.atlassian.com/software/crowd/overview) instead of implementing it yourself. It's a commercial product, but last time I checked, it was dirt cheap, and it just works.
I'm having some trouble with PAM. I have a tomcat webapp that uses PAM to authenticate. During install we make a symbolic link in /etc/pam.d to the /etc/pam.d/sshd file. This has always worked.
Recently I added a way for users to authenticate each request (rather than using a JSESSIONID cookie). This was added because we need to batch load some data into a monitoring application periodically and using Basic Auth was easy.
If I curl my webservice repeatedly (like 10 times a second), then every once in a while PAM will fail. This happens around once every 500 times, though my client claims that it happens once every couple of times (note that they are running remotely, though i don't see why that matters).
I have replaced my sym-linked pam config with a minimal config of:
#%PAM-1.0
auth sufficient pam_unix.so audit
auth required pam_deny.so
I have also added this to my /etc/syslog.conf
*.debug /var/log/debug.log
The only applicable log messages can be found in the debug.log:
Mar 12 09:49:32 arques java: pam_unix(foo:auth): unable to obtain a password
Mar 12 09:49:32 arques java: pam_unix(foo:auth): auth could not identify password for [root]
How do I debug this further? I have tried:
Using different hosts. One which is a brand new install
I've turned off the nscd service
I'm having a similar problem with a Java application that uses PAM for authentication. For now, I'm guessing the problem is within the distributed Java PAM binding implementation on CentOS 6.4. I no longer have access to that system (but I'm still trying to solve this problem) so I cannot provide specifics such as JDK version, etc.
My solution ultimately was to harshly kludge PAM:
#%PAM-
auth sufficient pam_debug.so
To make this more explicit, you could use "pam_permit.so" instead.
That's it, basically. Any valid user would then be authenticated, with or without password. Ugh.
I'm continuing to research better answers.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I'm starting to work on a SSO solution for 3 different webapps we've produced and still maintain for the same client.
Thing is, all 3 store their users and login information in the same place through a fourth separate application which provides just basic restful api services.
Which basically means that when one tries to log into, we actually call the rest service asking whether this username and password are correct.
In a way this fourth restful thingie already does at least half of the job we need.
What we need now is a way to let users log into webapp A, then follow a link (or simply type its url) to webapp B (or simply type its url) and get there already logged (or viceversa).
I've been reading a lot about CAS and openID or even oauth but can't really make up my mind about it.
Is this pattern centralized? Decentralized?
My ten-thousand foot view suggests I would somehow just need to add this "missing feature" to our restful api server.
But how?
ps: these 3 are completely separated. deployed on different machines (2 of them run on glassfish, the other one runs on tomcat). different domains too.
pps: they're all spring-driven webapps (hence they use spring-security)
ppps: as of today, there are other webapps using our restul api (non spring, non java).
this sso solution might have to be ready to handle those too.
Yeah it sounds like you need a "true" single sign on system rather than just a centralized credential repository. As you mentioned there are several options:
OpenId - more suited to an internet type application in which you
want to allow users to log into your systems with credentials that
are maintained by a third party. Stackoverflow is a classic example.
You can sign in with your google account etc.
Oauth provides Pseudo authentication and sso - whereas OpenId says
"this is user x" oauth says "this user has access to x's
information" ... so you can assume that the user is x.
CAS, Cloudseal, OpenAM etc all provide true single
sign on and are suitable for an intranet or extranet environment.
CAS and Cloudseal have especially good Spring support.
Trusted site (relying party (RP) in white list - app a,b,c in your case) make request (redirect) to main site (provider - "fourth separate application") with a return url.
Main site make sure request (returnURL) is from white list of domains
Log user (if not logged, displaying login form), mark user as logged in database and add temporary token to user database.
Main site return (redirect) to RP with token.
RP look into database using token, logs user and deletes token.
SSOff also easy: just check on every request into user database into bool record (userLogged). NO REDIRECTS. On logout simply change record (userLogged) to false and every site will know.