Vintela Single Sign-on for Java. Deployment Guide JBoss Edition 3.2

Size: px
Start display at page:

Download "Vintela Single Sign-on for Java. Deployment Guide JBoss Edition 3.2"

Transcription

1 Vintela Single Sign-on for Java Deployment Guide JBoss Edition 3.2

2 2007 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, please contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA USA legal@quest.com telephone: Please refer to our Web site for regional and international office information. TRADEMARKS Quest, Quest Software, the Quest Software logo, Aelita, Fastlane, Spotlight, and Vintela Single Sign-on for Java are trademarks and registered trademarks of Quest Software, Inc. Adobe Reader is a registered trademark of Adobe Systems Incorporated in the United States and/or other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners. Vintela Single Sign-on for Java from Quest Software Deployment Guide Updated - April 2007 Software Version - 3.2

3 CONTENTS PREFACE VII WHO SHOULD READ THIS GUIDE? VIII WHAT S IN THIS GUIDE? VIII CONVENTIONS IX CHAPTER 1: INTRODUCTION TO VSJ OVERVIEW ABOUT VSJ ABOUT KERBEROS ABOUT ACTIVE DIRECTORY ACTIVE DIRECTORY GROUPS ACTIVE DIRECTORY SITES PRINCIPALS, COMPUTER AND USER OBJECTS VSJ AND ACTIVE DIRECTORY SPNEGO AND INTERNET EXPLORER HOW DOES VSJ JBOSS EDITION WORK? CHAPTER 2: PREPARING YOUR DEPLOYMENT ENVIRONMENT FOR VSJ OVERVIEW PRE-INSTALLATION DOMAIN NAME SERVICE (DNS) TIME SYNCHRONIZATION SERVICE ACTIVE DIRECTORY APPLICATION SERVER CLIENT MACHINE DEPLOYMENT RISKS SERVICE UNAVAILABILITY TIME SYNCHRONIZATION REPLICATION INTERRUPTIONS RESOURCE SECURITY iii

4 Vintela Single Sign-on for Java from Quest Software SETTING UP ACTIVE DIRECTORY ACCOUNTS FOR VSJ STEP 1: CREATE A USER ACCOUNT STEP 2: MAP A SERVICE PRINCIPAL NAME (SPN) STEP 3: FINAL STEPS SETTING UP ACTIVE DIRECTORY ACCOUNTS ON A VAS-ENABLED HOST VINTELA AUTHENTICATION SERVICES (VAS) USING THE VAS HOST SERVICE PRINCIPAL NAME TO INSTALL VSJ CREATING A HTTP SERVICE PRINCIPAL USING VASTOOL POST-INSTALLATION SETTING UP INTERNET EXPLORER FOR SSO CREATING KEYTAB FILES CHAPTER 3: DEPLOYING VSJ JBOSS EDITION OVERVIEW INSTALLING VSJ JBOSS EDITION CONFIGURING THE VSJ EXAMPLES DEPLOYING WEB COMPONENTS USING VSJ JBOSS EDITION SETTING UP LOGGING USING VSJ CREDENTIAL DELEGATION DELEGATING TO ANOTHER WEB RESOURCE USING SPNEGO.40 CROSS-DOMAIN ISSUES CLIENT-SIDE CONFIGURATION BASIC FALLBACK CHAPTER 4: VSJ FEDERATION FOR JBOSS INTRODUCTION FEATURES PREREQUISITES INSTALLATION CONFIGURATION iv

5 Contents CHAPTER 5: USING THE JKTOOLS OVERVIEW THE JKTOOLS JKINIT JKLIST JKTUTIL EXAMPLES CHAPTER 6: SECURITY ISSUES OVERVIEW SUMMARY OF BASIC RECOMMENDATIONS CLIENT ISSUES COOKIES CACHING OF PASSWORDS FOR BASIC FALLBACK SPNEGO/WINDOWS INTEGRATED AUTHENTICATION LIFETIME OF AUTHENTICATION SESSION IDS ACTIVE DIRECTORY PERMISSIONS BASIC FALLBACK KEYTABS AND PASSWORDS AUTHORIZATION DO YOU NEED AUTHORIZATION? SECURING LDAP USING THE "PRINCIPLE OF LEAST PRIVILEGE" DENIAL OF SERVICE BASIC FALLBACK SESSION STATE AUDITING NTLM AUTHENTICATION WHAT IS NTLM? DIFFERENT VERSIONS OF NTLM NTLM AND INTERNET EXPLORER v

6 Vintela Single Sign-on for Java from Quest Software CHAPTER 7: MAINTENANCE AND TROUBLESHOOTING OVERVIEW MAINTENANCE LOGGING NEW USERS / GROUPS ACCOUNT SETTINGS NETWORK TOPOLOGY CHANGES TROUBLESHOOTING GENERAL ACTIVE DIRECTORY BROWSERS AUTHENTICATION KEYTABS NETWORK CONNECTIONS CREDENTIAL DELEGATION DEBUGGING APPENDIX A: VSJ CONFIGURATION PARAMETERS GLOSSARY INDEX vi

7 Preface As the use of distributed systems increases, users need to access resources that are remotely located. Traditionally users have had to sign-on to multiple systems, many requiring different usernames, passwords and authentication techniques. With single sign-on (SSO), users need only authenticate once and the authenticated identity is securely carried across the network to access resources on behalf of the user. The Java Platform, Enterprise Edition (Java EE ) is an excellent platform for developing Internet, intranet and extranet applications. It provides a standardized architecture that makes reuse possible, and provides tight integration with databases and legacy applications through the JDBC and JCA interfaces. Many enterprises have deployed, or are in the process of deploying Java EE applications. In addition, many enterprises are moving to support a standardized authentication infrastructure. In particular, Microsoft 's Active Directory provides an environment based on Kerberos and LDAP which provide Identity Management services including SSO, a centralized store for identity information. It makes a lot of sense to reuse this infrastructure where possible. Unfortunately, tight integration with Kerberos, and in particular the infrastructure provided by Microsoft s Active Directory which is already deployed or being deployed in many organizations, is simply not available for Java EE. Vintela Single Sign-on for Java from Quest Software fills this gap, providing SSO and access management for Java EE applications using Active Directory as their identity store. It provides an enterprise-wide method of identification and authorization that can be administered in a consistent and transparent manner and allows users to access information systems to which they are authorized.

8 Vintela Single Sign-on for Java from Quest Software Who Should Read This Guide? The VSJ (JBoss Edition) Deployment Guide is intended for developers of VSJ solutions for enterprise SSO applications. You should have a good knowledge of Java programming, and a sound understanding of how Active Directory works in your environment. What s in This Guide? This guide describes how to deploy VSJ and includes a number of examples designed to accelerate the implementation of your VSJ solution. The VSJ (JBoss Edition) Deployment Guide includes: Chapter 1: Introduction to VSJ This chapter introduces VSJ as well as covering underlying technologies, such as Kerberos, Active Directory and SPNEGO, and includes an outline of VSJ s operations from the point of initialization through to exit. Chapter 2: Preparing Your Deployment Environment for VSJ This chapter discusses the environment needed for a VSJ deployment, including the DNS implementation, time synchronization service issues, Active Directory installation, and your application server and client machine software requirements. Chapter 3: Deploying VSJ JBoss Edition This chapter describes how to install VSJ JBoss Edition and then build SSO solutions using VSJ-protected Servlets and JSPs. Chapter 4: VSJ Federation for JBoss This chapter describes VSJ JBoss Federation which provides single sign-on for web applications in a Microsoft ADFS (Active Directory Federation Services) environment. Chapter 5: Using the JKTools This chapter describes how to use the jkinit, jklist and jktutil tools which are included with VSJ. Chapter 6: Security Issues This chapter outlines the mechanisms in VSJ used to achieve secure operation, and outlines some areas that may need attention. viii

9 Preface Chapter 7: Maintenance and Troubleshooting This chapter discusses the common maintenance issues relating to a VSJ deployment and provides solutions to some common problems which may be experienced when configuring and deploying applications using VSJ. Glossary The Glossary provides definitions of the terminology used in this guide. Conventions Conventions used in this guide are shown below. Convention Code Code italic SansSerif SansSerif italics Italic Use Highlights commands and coding Highlights code variables Highlights file names and paths Highlights file name and path variables Highlights publication titles and emphasises important or new terms ix

10 Vintela Single Sign-on for Java from Quest Software x

11 1 Introduction to VSJ Overview About VSJ About Kerberos About Active Directory SPNEGO and Internet Explorer How Does VSJ JBoss Edition Work?

12 Vintela Single Sign-on for Java from Quest Software Overview This chapter introduces VSJ as well as covering underlying technologies, such as Kerberos, Active Directory and SPNEGO, and includes an outline of VSJ s operations from the point of initialization through to exit. About VSJ VSJ provides a mechanism for integrating Java EE applications into an enterprise SSO infrastructure based on Active Directory. It supports authentication and authorization with Active Directory and in particular supports the SPNEGO protocol with Internet Explorer and Firefox/Mozilla. This allows Java EE Servlets and JSPs to authenticate users using Kerberos, and to use delegated credentials to access other Kerberized services within an enterprise domain. VSJ utilizes a number of other Active Directory features such as Active Directory groups and Active Directory sites. VSJ supports the authorization of users using Active Directory groups. By specifying which Active Directory groups are allowed to access an application, you can control access by managing group membership. Active Directory sites represent the physical topology of an Active Directory-based network infrastructure, and allow for replication, redundancy and load balancing across the network. VSJ uses Active Directory sites to support replication and failover. By using the VSJ solution you will be able to provide: End-to-end authentication between users and backend services Authorization of users by using Active Directory groups Integration of Java EE applications in an Active Directory/Kerberos-based SSO environment A cross-platform solution which supports most operating systems and Java application servers 2

13 Introduction to VSJ Figure 1 shows a conceptual view of a typical VSJ deployment. Figure 1: Conceptual View of a Typical VSJ Deployment About Kerberos Kerberos is a network authentication protocol developed at the Massachusetts Institute of Technology (MIT). It is designed to provide strong authentication for client/server applications across insecure network connections by using secret-key cryptography. It allows entities communicating over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptographic ciphers such as DES. Kerberos works by providing principals (users or services) with tickets that they can use to identify themselves, and secret cryptographic keys for secure communication with other principals. A ticket is a sequence of a few hundred bytes. The ticket can then be used to secure virtually any other network 3

14 Vintela Single Sign-on for Java from Quest Software protocol, thereby allowing the processes implementing that protocol to be sure about the identity of the principals involved. Kerberos provides for mutual authentication and secure communication between principals on an open network by manufacturing secret keys for any requester and providing a mechanism for these secret keys to be safely propagated through the network. Kerberos does not, strictly speaking, provide for authorization or accounting, although applications may use their secret keys to perform those functions securely. There are several versions and distributions of Kerberos. Most of them are based on the MIT distributions. Some of the distributions are freely available, some are standalone commercial products, and others are part of larger free or proprietary systems. MIT Kerberos versions 4 and 5 are freely available. Versions 4 and 5 are based on completely different protocols, however version 5 contains some compatibility code. Figure 2: Kerberos Protocol Figure 2 shows how the Kerberos protocol works. A principal authenticates itself in Kerberos by using a principal name of the form principal-name@realm and a password. This is typically used to send an encrypted message to the 4

15 Introduction to VSJ Authentication Service (AS), which can then authenticate the principal and send back a session key and Ticket Granting Ticket (TGT). The TGT is like a certificate of identity which allows the principal to gain later access to one or more services. Once the user has supplied their password and obtained the TGT from the AS, authentication to any other service can happen automatically without the user having to resupply their password. For this reason, Kerberos is sometimes called a Single Sign-On (SSO) service. A ticket is a credential that enables a principal to gain access to a service. A principal obtains tickets from the Ticket Granting Service (TGS) using the TGT obtained from the AS as described above. The ticket is used to create an authenticator, which is then sent to the service being requested to authenticate the user. The authenticator is used to establish a session key for secure communication. Optionally, the user can also request to authenticate the server. If this happens, the server uses information in the user's authenticator to send back a server authenticator, which the user can use to verify the server's authenticity. The Kerberos protocol has been widely analyzed and is supported by many vendors including Sun, Microsoft and Oracle to name a few. It forms the basis of the authentication system used by Active Directory in Windows operating systems. About Active Directory The Active Directory service is a core component of the Microsoft Windows operating system. It provides a directory service supporting the Lightweight Directory Access Protocol (LDAP), and a Kerberos KDC to authenticate users. It allows organizations to share and manage information about network resources and users and provides an SSO environment that integrates with the standard Windows desktop login. In addition, it acts as a single point of management for Windows-based user accounts, clients, servers and applications. The directory is arranged hierarchically, allowing the division of enterprise resources into different domains. Each resource (i.e., user, application), is represented as an object with a number of attributes (for example, the organizational group to which the resource belongs). The directory may be browsed hierarchically for resources, or each resource can be individually addressed by providing its Distinguished Name. The Distinguished Name is simply a group of attributes that uniquely identify an object within the Active Directory hierarchy (for example, CN=John Doe, DC=example, DC=com ). The directory also provides fine-grained security mechanisms to allow administrators to determine exactly what information may be accessed. Users 5

16 Vintela Single Sign-on for Java from Quest Software can be restricted to specific objects, or even specific attributes within the directory. The main benefits of using Active Directory are that it simplifies the management of user accounts, and provides an SSO infrastructure to users. Its support for standard protocols such as LDAP and Kerberos means that it can be used as, or with, a cross-platform solution. The Kerberos support in Active Directory has been tested to ensure interoperability with the MIT Kerberos implementation used by many UNIX vendors. However, it is worth noting some differences between the Microsoft and MIT implementations: Support for Privilege Attribute Certificates (PACs) Microsoft's Kerberos implementation uses the AuthorizationData field of the Kerberos ticket to pass Privilege Attribute Certificates (PACs) to Kerberized applications. Applications that support Microsoft's PAC format can use this information to provide fine-grained access control to services. Integration with LDAP Active Directory's Kerberos features are tightly integrated with its LDAP server. This means that user information, such as groups, can be retrieved using standard tools and APIs. Windows Native Credential Cache Unlike the MIT implementation, the Windows Kerberos implementation uses an in-memory credential cache to store Kerberos tickets and TGTs (the MIT implementation uses a disk file). The implementation is stored in non-paged memory so it is never written to disk. Microsoft provides routines to obtain credentials from this cache through their Local Security Authority API (LSA API). Smartcard / PKI Support Microsoft supports a version of the PKINIT protocol which allows the initial authentication to the directory to be performed using a private key or smartcard. Active Directory Groups In large organizations, managing the authorization permissions of hundreds or even thousands of users creates a significant problem. One way that Active Directory addresses this issue is through the use of groups. These groups provide a way to classify users according to their roles or activities, and can be used as the basis for authorization permissions. 6

17 Introduction to VSJ Group Types Active Directory defines two types of groups: security groups and distribution groups. Distribution groups are mainly used for activities such as sending bulk , and do not allow permissions and audit settings to be associated with them. Security groups on the other hand are primarily designed for authorization, so are most interesting for VSJ. Microsoft Windows does not use distribution groups internally, although they are available for use by other directory-enabled applications. Group Scopes Each group has a scope which describes both its visibility to other users and applications throughout the enterprise, and the types of principals that can be included in the group. The three group scopes are listed below: Domain Local visible only within a domain, and to sub-domains. Domain local groups can include any other type of group, but cannot be included in any of the other groups. Commonly, Domain local groups are used to define the groups and users allowed to access a given local resource. Global visible throughout the enterprise, but can only include other users and groups within the same domain (or a parent domain). Global groups should be used to divide users within a domain into categories according to their roles or job functions. Universal visible throughout the entire enterprise. Universal groups may include both other Universal groups, and global groups from any domain in the enterprise. For reasons described below, Universal groups are expensive to use, so try to limit the number of these groups. You should use a Universal group wherever it is necessary to create a group that spans one or more domains. If you are using Active Directory in mixed mode (that is, with both Active Directory and Windows NT domains) the rules for scoping are more restrictive, and you cannot use Universal groups. See your Active Directory documentation for more details. Active Directory allows nested groups (groups that contain other groups), which can be nested to arbitrary levels. This is convenient, as it provides a way to hierarchically manage users, for example you can have a group for each type of manager in a department, and then create a group called Managers that includes all of these sub-groups. 7

18 Vintela Single Sign-on for Java from Quest Software Groups and the Logon Process When a Microsoft Windows user logs on to an Active Directory domain, Active Directory builds a token called a Privilege Attribute Certificate (PAC). The PAC contains the list of all the groups the user is a member of, and that are visible in the login domain. This list is the "transitive closure", meaning it includes any groups which the user is a member of due to nesting of other groups. For example, supposing we have the following global groups which contain the users "Alice" and "Bob": Group1 : contains Alice, Bob Group2 : contains Group1 Group3 : contains Group2 Then the PAC for Alice will contain Group1, Group2 and Group3. Computing this group membership can take some time and Active Directory may have to query several LDAP servers to determine membership. In addition, Universal groups require a full search of the global catalog, which stores information about every Active Directory object. For this reason, the number of Universal groups should be limited to ensure that logon times do not become too long. The PAC exists for the lifetime of the initial TGT obtained at logon time (typically 10 hours). For this reason, if a user is added to a new group, the user must log off and then log back on for this group to be used. Groups and VSJ When a user accesses an application protected with VSJ, Internet Explorer will contact Active Directory to obtain a service ticket for the server which it needs to contact, or retrieve it from the cache if available. This service ticket will contain a PAC containing all the Universal and Global groups from the user's existing PAC, plus any Domain Local groups defined in the servers domain. VSJ will then use the groups defined in the PAC to authorize access to a particular resource. Because the group membership is securely authenticated in the PAC, VSJ can trust this information. Using the PAC also saves time associated with the LDAP lookups needed to recursively resolve group membership, resulting in a more scalable solution. 8

19 Introduction to VSJ Active Directory Sites Sites represent the physical topology of your Active Directory infrastructure based on subnets of TCP/IP addresses, and allow for replication, redundancy and load balancing across your Active Directory deployment. By defining sites in Active Directory, you effectively tell Active Directory what your underlying physical network looks like. This allows domain controllers to utilize the underlying network in the most efficient manner possible and allows Active Directory to conserve bandwidth that is required for other applications within your organization. However, sites are not related to the structure of the domain, nor must they maintain the same namespace a site may span multiple domains and, conversely, a domain may span multiple sites. While no formal relationship exists between a site and a domain, a site may be given the same boundaries as a domain. To ensure rapid and reliable network communication, Active Directory offers methods of regulating intersubnet, or intersite, traffic. The Active Directory physical structure governs when and how replication takes place. As users log on to the network, they are able to reach the closest domain controller site through the previous assignment of subnet information. The system administrator uses the Active Directory Sites and Services snap-in to manage the topology of replication services. VSJ supports replication and failover using Active Directory sites Principals, Computer and User Objects Active Directory uses a number of different names to refer to objects that are used by VSJ. These are discussed below. User Principal Name (UPN) The fully qualified name used as the Kerberos client principal name. It consists of an RFC822/ style name and domain separated by an '@'. The UPN must be unique throughout the Active Directory forest. The UPN is the name that will appear in the Kerberos Ticket Granting Ticket (TGT) for a client returned by Active Directory. 9

20 Vintela Single Sign-on for Java from Quest Software Service Principal Name (SPN) The fully qualified name of a Kerberos service principal. The SPN is of the form <service>/<host>@domain, for example: HTTP/foo.example.com@EXAMPLE.COM The SPN is used when requesting a Kerberos ticket for a particular service. You will typically need to map an SPN to an Active Directory user or computer object using either the setspn or ktpass utilties with Microsoft Windows. Computer/User Objects SPN/UPNs may be mapped to two different types of object in Active Directory. Computer objects refer to computers which have been joined to a given Active Directory domain (for example, a Microsoft Windows machine joined using the Network Identification Wizard, or a Unix machine joined using VAS). When the computer object is created a corresponding HOST/<machine name>@<domain> SPN will be mapped to that computer object. It is also possible to map additional SPNs to the computer object. An Active Directory User object may refer to an actual physical person, or a Service Account which is an object created for the purposes of running a particular service. In the latter case you would map the SPN to the service account using the setspn or ktpass utilities with Microsoft Windows. Use of Principal Names in VSJ When running VSJ on Microsoft Windows it is only possible to configure VSJ to use the HTTP SPN mapped to a Service Account User Object. This is because it is not possible for VSJ to access the key material for the Computer account stored in the LSA database. For more details on setting up VSJ to use a Service Account, see Setting Up Active Directory Accounts for VSJ). However, when VSJ is used with Vintela Authentication Services (VAS), either the HOST/ or HTTP/ mechanisms can be used (see Setting Up Active Directory Accounts on a VAS-Enabled Host for more details). VSJ and Active Directory VSJ has been specifically designed to work optimally with Microsoft's Active Directory. It will use the default configuration to discover the services, hosts and port numbers necessary to integrate with Active Directory. To finetune your deployment you can configure VSJ to use Active Directory configuration such as sites and services, KDC servers, etc. 10

21 SPNEGO and Internet Explorer Introduction to VSJ In addition to support for Kerberos through its Active Directory service, Microsoft has also provided extensions to Internet Explorer that allow it to participate in a Kerberos-based SSO environment. When a Web server receives a request from an Internet Explorer browser, it can request that the browser use the SPNEGO protocol to authenticate itself. This protocol performs a Kerberos authentication which is tunneled over HTTP, and allows Internet Explorer to pass a delegated credential so that a Web application can log in to subsequent Kerberized services on the user's behalf. When an HTTP server wishes to perform SPNEGO, it returns a "401 Unauthorized" response to the HTTP request with the "WWW-Authorization: Negotiate" header. Internet Explorer then contacts the Ticket Granting Service (TGS) to obtain a service ticket. It chooses a special Service Principal Name for the ticket request, which is: HTTP/webserver@REALM The returned ticket is then used to construct an SPNEGO token which is encoded and sent back to the server in the HTTP headers. The token is unwrapped and the ticket is authenticated. If mutual authentication is required, then the Web server can return an additional SPNEGO token for the client to verify. Once authenticated, the page corresponding to the requested URL is returned. SPNEGO provides a useful mechanism for extending an SSO environment to Web applications. It is already supported in Microsoft IIS for authentication to ASP or Web pages. In addition, the ability to delegate credentials means that a Web application can log in to further services transparently on the user's behalf, providing full end-to-end authentication. Lastly, SPNEGO and HTTP can be used for authentication with Microsoft.NET SOAP clients, providing SSO for Web services. How Does VSJ JBoss Edition Work? This section provides an outline of VSJ JBoss Edition s operations, from the point of initialization through to exit. On startup The VSJ-enabled Tomcat Valve examines the vsj.properties file to determine the default realm, service principal name (SPN), password or keytab, etc. and then calls initauthenticator, which gets a server Ticket-Granting Ticket (TGT). 11

22 Vintela Single Sign-on for Java from Quest Software For each request to a protected area, the VSJ-enabled Valve calls authenticate(request, Response, LoginConfig) VSJ performs the appropriate authentication for the mechanism specified in the request (specified in the 'Authorization' header of the request): Basic fallback (if configured): Mechanism name is "Basic", and mechanism token is a base64-encoded username and password. Converts username and password to a Kerberos principal and Kerberos password, and requests a TGT from the KDC. Requests a service ticket from the KDC.Stores credentials in session state for future authentication requests. NTLM (if configured): Mechanism name is "NTLM" or "NEGOTIATE", and mechanism token is an NTLM token. An NTLM handshake occurs, where messages are exchanged between the client and server including negotiate, challenge and authenticate packets. Once authentication occurs, a credential is obtained and stored in the session state for future authentication requests. SPNEGO Mechanism name is "Negotiate", and mechanism token is an SPNEGO token. SPNEGO handshake occurs, whereby the SPNEGO token in the request is processed, and SPNEGO tokens may be returned to the browser in the "WWW-Authenticate' field of the response. Eventually, authentication succeeds, and credentials are obtained. The session state is updated with the obtained credentials and other user information. The Valve passes the Authenticated User details to a JBoss LoginModule that will create a JAAS Subject during the login process using the information provided. JBoss Security Mechanism (JBossSX) will allow/deny permission based on information packed inside the Subject. 12

23 2 Preparing Your Deployment Environment for VSJ Overview Pre-Installation Deployment Risks Setting Up Active Directory Accounts for VSJ Setting Up Active Directory Accounts on a VAS-Enabled Host Post-Installation

24 Vintela Single Sign-on for Java from Quest Software Overview This chapter discusses the environment needed for a VSJ deployment, including the DNS implementation, time synchronization service issues, Active Directory installation, and your application server and client machine software requirements. If you are not already familiar with Active Directory and other concepts related to VSJ, refer to Introduction to VSJ. Pre-Installation Domain Name Service (DNS) VSJ requires a DNS implementation to discover the location of: KDCs for a given realm Domain controllers and global catalogs for a given domain (and optionally for a given site) The DNS implementation must support SRV resource records as follows: For locating the domain controller(s) for a given domain: _ldap._tcp.domain where domain is the given domain. For example: _ldap._tcp.testsso.example.com would represent the SRV query for finding domain controllers representing the domain TESTSSO.EXAMPLE.COM. For locating the domain controller(s) for a given domain in a given site: _ldap._tcp.site._sites.domain where site is the given site and domain is the given domain. For example: _ldap._tcp.brisbane._sites.testsso.example.com would represent the SRV query for finding domain controllers representing the domain TESTSSO.EXAMPLE.COM for the site Brisbane. 14

25 Preparing Your Deployment Environment for VSJ For locating the global catalog(s) for a given domain: _ldap._tcp.gc._msdcs.domain where domain is the given domain. For example: _ldap._tcp.gc._msdcs.testsso.example.com would represent the SRV query for finding global catalogs representing the domain TESTSSO.EXAMPLE.COM. For locating the global catalog(s) for a given domain in a given site: _ldap._tcp.site._sites.gc._msdcs.domain where site is the given site and domain is the given domain. For example: _ldap._tcp.brisbane._sites.gc._msdcs.testsso.example.com would represent the SRV query for finding global catalogs representing the domain TESTSSO.EXAMPLE.COM for the site Brisbane. DNS services may be provided by using a Windows DNS server, or by using a Unix BIND DNS server. All DNS servers must be physically and logically secure. For information on configuring DNS for Microsoft Windows, see: The Microsoft Windows Server 2003 Deployment Kit ( 03/all/deployguide/en-us/Default.asp) Using BIND DNS Servers with Windows 2000 Detailed Instructions ( For information on configuring DNS for Unix, see the BIND 9 Administrator Reference Manual ( Time Synchronization Service The Kerberos protocol requires synchronization of internal clocks within Kerberos domains, to ensure that ticket lifetimes may be calculated and compared correctly. A time service may be configured to provide the necessary synchronization. Time services may be provided by the Unix Network Time Protocol (NTP) service, or the compatible Simple Network Time Protocol (SNTP) service available with Microsoft Windows. 15

26 Vintela Single Sign-on for Java from Quest Software For information on configuring time services for Microsoft Windows, see: How to Configure an Authoritative Time Server in Windows XP ( How to Configure an Authoritative Time Server in Windows 2000 ( For information on configuring time services for Unix, see NTP: The Network Time Protocol ( Active Directory A Microsoft Windows 2000 Server or Windows Server 2003 Active Directory is required. The default installation is sufficient. 1. Install Microsoft Windows 2000 Server or Windows Server Add the Active Directory role to the server. 3. You will be asked if you also want to install the DNS Role. If you do, click OK. You will need an Administrator account and password for the Active Directory domain. Application Server See the release notes (HTML) for a comprehensive list of servers supported by VSJ. Client Machine Operating System To support Windows Integrated Authentication, the client must be part of the Active Directory domain and must have one of the following operating systems installed: Windows 2000 Professional Windows 2000 Server Windows 2000 Advanced Server 16

27 Preparing Your Deployment Environment for VSJ Windows XP Professional Windows Server 2003 Windows Vista These are the only operating systems that incorporate Active Directory. If Microsoft Windows 2000 is installed on the client, Internet Explorer 5.5 or higher is also needed. To support NTLM authentication, one of the following operating systems must be installed on the client: Windows 95 Windows 98 Windows Millennium Edition (ME) Windows NT Windows XP Home These operating systems do not incorporate Active Directory, but do support NTLM authentication. For more information on NTLM, see Security Issues. Basic fallback is supported on most platforms and browsers, such as Mozilla and Konqueror. Browser To support Windows Integrated Authentication, you will need one of the following browsers: Internet Explorer 5.5 or higher Mozilla Firefox 17

28 Vintela Single Sign-on for Java from Quest Software When using a browser that is not configured for Windows Integrated Authentication, VSJ provides both an NTLM mechanism that allows NTLM SSO, and a fallback mechanism that allows a user to log in with their Kerberos password using standard HTTP basic authentication. However, the basic feature is disabled by default for security reasons. For more details on the consequences of enabling basic fallback see Security Issues. Deployment Risks This section discusses some of the deployment risks associated with the implementation of a VSJ-based solution. These risks are not inherent to VSJ, but may impact on VSJ s service availability or result in false positive/negative authentication. Service Unavailability If a host (for example, the domain controller indicated by a DNS SRV query) becomes unavailable, then VSJ processing may be suspended until a timeout expires. Note that VSJ maintains an internal database of unavailable hosts, and subsequent requests will ignore (for a time) any hosts that are known to be unavailable. If no hosts are available for a given service, VSJ will indicate an error. Any subsequent VSJ operations that must communicate with the host will timeout until such time as the host becomes available. If a service (such as DNS) becomes unavailable, VSJ processing may be suspended until a timeout expires. After this, VSJ will indicate an error. Any subsequent VSJ operations that rely on the service will timeout until such time as the service becomes available. Time Synchronization If the internal clocks of two machines or services are sufficiently out of skew, then a Kerberos ticket which is valid on one machine may not be valid on the other machine. Thus, unsynchronized time services may lead to denial of service for otherwise valid Kerberos tickets. 18

29 Preparing Your Deployment Environment for VSJ Replication Interruptions VSJ supports replicated domain controllers and global catalogs, and assumes that information is replicated across the network topology in a timely and consistent manner. Failure to replicate security information (such as group membership, SIDs, etc.) accurately may result in authentication or authorization failures. Resource Security VSJ relies on sensitive data (such as Kerberos keytabs, passwords, and Active Directory account information). Such data must be physically and logically secure. Typically, only the Active Directory administrator should have access to Active Directory configuration, and a keytab should be readable only by the principal represented by that keytab. Setting Up Active Directory Accounts for VSJ The following sections describe the procedures for setting up Active Directory for VSJ. 1. Create a User Account 2. Map a Service Principal Name (SPN) 3. Final Steps If you are installing VSJ on Windows, before you begin, make sure that IIS is not being used on the same machine. The steps below will add a service principal name (SPN), which will clash with IIS's, causing IIS to no longer be able to decrypt Kerberos tickets. This will cause IIS's Windows Integrated Authentication to fail. Step 1: Create a User Account To set up user authentication for a service you must register the service as a user in Active Directory on the Domain Controller. This can be done using the following steps: 1. On the Domain Controller with Active Directory installed, click the Start menu, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. 19

30 Vintela Single Sign-on for Java from Quest Software 2. Click the Users folder to display a list of users, on the Action menu, point to New, and then click User. Enter a name and logon name for the new service, and click Next. The username should consist of standard alphanumeric characters and no whitespace, as it needs to be entered in a command prompt later. On the next screen, enter a password for the service. Ensure that User must change password at next logon is not selected, and Password Never Expires is selected. Click Next, and then Finish. 3. Right-click the user you just entered in the User folder list, and then click Properties. A dialog box will display. 4. Select the Account tab. Select the Account is trusted for delegation check box if you wish to allow a service to use delegated credentials to access other services on the users' behalf. This is significant when your service depends on data from other secure services for which you don't want users to have to enter credentials manually. 5. Select the Password never expires check box. This prevents the service account from ever expiring, which would cause Kerberos errors. 6. Click OK. Step 2: Map a Service Principal Name (SPN) For Internet Explorer to be able to authenticate to VSJ, it needs to know the user account created in Create a User Account above. It does this by looking up a Service Principal Name (SPN) of the form HTTP/host.domain@REALM. The following describes how to create a mapping between a user account and an SPN: 1. Obtain the ktpass utility. This is available from the Windows 2000 resource kit. For more information on this tool, go to: steps.asp ktpass is included on the Windows Server 2003 installation CD under /Support/Tools/. 2. Launch a command prompt and run ktpass with the following arguments: ktpass -princ HTTP/host.domain@REALM -mapuser user 20

31 Preparing Your Deployment Environment for VSJ Where: host.domain is the fully-qualified domain name of the server where VSJ will be installed. (for example, server.example.com) REALM is the Active Directory realm in which the server is located (for example, EXAMPLE.COM). Note that REALM needs to be entered in uppercase characters. user is the logon name of the user account you created above. If you want to use ktpass under Microsoft Windows 2003, the user must be the user account's full-name and must be enclosed by quotes (" "). Ensure that the principal name (SPN) you are entering at this step does not already exist in Active Directory, otherwise the installation will not work. The most common reason for this is if IIS has been installed on the host. Removal of IIS does not remove the principal name. This has to be done manually using the setspn.exe utility. If you wish to use a file keytab, refer to Creating Keytab Files. Step 3: Final Steps To prevent Kerberos integrity-check failures later on, ensure that you perform the following steps: 1. On the Domain Controller with Active Directory installed, click the Start menu, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. 2. Right-click on the user account that you created previously, and click Reset Password... A login dialog box will display. 3. Enter and confirm the same password that you entered previously. Ensure that User must change password at next logon is not selected. 4. Click OK to finish. 21

32 Vintela Single Sign-on for Java from Quest Software Setting Up Active Directory Accounts on a VAS-Enabled Host VSJ supports integration with Vintela Authentication Services (VAS) to allow you to simplify installation on VAS-enabled Unix hosts. The following sections describe how to perform this setup. Vintela Authentication Services (VAS) Vintela Authentication Services (VAS) allows Unix and Linux users to be authenticated using Active Directory. It provides integration with the Unix Pluggable Authentication Modules (PAM) and Name Service Switch (NSS) systems. A system administrator will enable VAS on a Unix host by joining it to the Active Directory domain using the vastool utility. This creates a computer account object in Active Directory along with a HOST principal and keytab that can be used to authenticate service tickets that are presented to Kerberos/VAS-enabled applications. VAS Configuration The VAS Configuration file is usually installed in /etc/opt/vas/vas.conf. The configuration is in the form of an MIT krb5.conf file, for example: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = true ticket_lifetime = default_keytab_name = /etc/opt/vas/host.keytab default_etypes = arcfour-hmac-md5 default_etypes_des = des-cbc-crc default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc [domain.realm] j2ee.example.com = EXAMPLE.COM The configuration file defines information such as the default realm, and the location of the server keytab. 22

33 Preparing Your Deployment Environment for VSJ VAS Keytabs VAS keytab files are created in the /etc/opt/vas directory. Each keytab file is named according to the service that uses it. For example, the host principal keys are stored in the /etc/opt/vas/vintela/host.keytab file. VAS keytab files are stored using the standard MIT-style and may be used by third party applications including VSJ. vastool vastool is a command line program that allows you to configure various components of VAS, access information stored in Active Directory; and to perform a variety of tasks such as the creation of user accounts and keytabs. vastool is located at /opt/vas/bin/vastool. It has been designed to be script-friendly and to allow administrators to easily manage users, groups, and other information stored in Active Directory from Unix/Linux workstations. In order to run vastool, you must specify the options for vastool, a command to run, and the options for that specific command. While vastool supports a wide variety of commands, the following will be of most use when installing VSJ with VAS: create create a user, group, or computer object in Active Directory delete delete users, groups, computer objects, or NIS Map objects in Active Directory service manage service accounts in Active Directory Using the VAS HOST Service Principal Name to Install VSJ One of the simplest ways to configure VSJ to run on a VAS enabled host is to set up your configuration so that the Application Server can authenticate using the HOST principal installed when you join a VAS enabled machine to the Active Directory domain. To do this, you will need to perform the following steps: 1. Run the application server with sufficient permissions to access the host keytab /etc/opt/vas/host.keytab (usually root). 2. Configure the realm used by VSJ to be the same as the realm/domain to which the VAS enabled host has been joined. This can be determined by running the command: /opt/vas/bin/vastool info domain 23

34 Vintela Single Sign-on for Java from Quest Software 3. Configure VSJ to use the host keytab (located in /etc/opt/vas/host.keytab). 4. If you are using Active Directory sites you should configure VSJ to use the correct site for this server. You can discover this by using the command: /opt/vas/bin/vastool info site 5. Configure VSJ to use the HOST principal. This should be set to: HOST/fully.qualified.host.name Creating a HTTP Service Principal Using vastool It is also possible to use vastool to add a service account for VSJ rather than using the HOST principal. The major benefit of this approach is allows you to run the application server as an unprivileged user. To do this you will require VAS or later. 1. To create the service, run the following command: $ vastool -u <Administrative User> service create HTTP/fully.qualified.host.name Where <Administrative User> is a domain user with sufficient permissions to create accounts. This will generate output similar to the following: Successfully created service HTTP/fully.qualified.host.name@EXAMPLE.COM Update the permissions on the service keytab for the application using the service. and generate a keytab /etc/opt/vas/http.keytab. 2. Modify the permissions on /etc/opt/vas/http.keytab so it is readable by the process running the application server. For example: $ chown appserverowner /etc/opt/vas/http.keytab 3. Configure the realm used by VSJ to be the same as the realm/domain to which the VAS-enabled host has been joined. This can be determined by running the command: $ /opt/vas/bin/vastool info domain 4. If you are using Active Directory sites you should configure VSJ to use the correct site for this server. You can discover this by using the command: $ /opt/vas/bin/vastool info site 24

35 Preparing Your Deployment Environment for VSJ 5. Configure VSJ to use the HTTP principal above (HTTP/fully.qualified.host.name). See Table 4, Standard VSJ Configuration Parameters, on page 40. Post-Installation Setting Up Internet Explorer for SSO This section describes how to set up Internet Explorer for SSO. This includes: Windows Integrated Authentication NTLM authentication Troubleshooting your Internet Explorer configuration Windows Integrated Authentication To take full advantage of VSJ, you must enable Windows Integrated Authentication. To use Windows Integrated Authentication, clients must be running Internet Explorer 5.5 or higher on Windows 2000/2003/XP. You should also ensure that the High Encryption Pack (see ie/downloads/recommended/128bit/default.mspx) is installed. You can confirm that the High Encryption Pack is installed by selecting About Internet Explorer from the Help menu in Internet Explorer. If it is installed, Cipher Strength: 128-bit will be shown on the About Internet Explorer dialog box. You will probably need to ensure that the Java EE server on which you installed VSJ is in the Intranet Zone. See Troubleshooting Your Internet Explorer Configuration on page 37 for more information. Windows Integrated Authentication is enabled by default on Internet Explorer 5.5. If you are using Internet Explorer 6.0 or higher you will also need to do the following: 1. In Internet Explorer, on the Tools menu, click Internet Options. 2. Click the Advanced tab. 3. Scroll down to the Security section, and select the Enable Integrated Windows Authentication (requires restart) setting. 25

36 Vintela Single Sign-on for Java from Quest Software 4. Click OK. 5. Restart Internet Explorer. NTLM Authentication Windows Integrated Authentication provides a greater degree of security than NTLM authentication, so we recommend that users should attempt to use Windows Integrated Authentication unless it is unsupported by their client operating system or browser. To use NTLM for SSO, you will need a version of Windows that supports NTLM challenge/response (see Operating System). To set up Internet Explorer for NTLM authentication: 1. Configure the intranet for authentication: a. In Internet Explorer, on the Tools menu, click Internet Options. b. Click the Security tab. c. Click the Local intranet icon and then click Custom Level... d. Scroll down the Security Settings list to the User Authentication section, and select the Automatic logon only in Intranet zone option. This will configure the intranet for SSO. e. Click OK. 2. If you are using Internet Explorer 6.0 or higher, you will also need to perform the following steps: a. In Internet Explorer, on the Tools menu, click Internet Options. b. Click the Advanced tab. c. Scroll down to the Security section, and ensure that the Enable Integrated Windows Authentication (requires restart) setting is not selected. d. Click OK. e. Restart Internet Explorer. Troubleshooting Your Internet Explorer Configuration To use Internet Explorer for Windows Integrated Authentication you must ensure that the Java EE server on which you installed VSJ is in the Intranet Zone (on the Internet Explorer Security tab). This should be the case for most default setups, but may not be if one of the following is true: The domain name of the Java EE server on which VSJ is installed is different from the domain name of your desktop machine. You have modified the Intranet Zone settings. If your server is not part of the Intranet Zone then Windows Integrated Authentication will fail and a login dialog box will display. 26

37 Preparing Your Deployment Environment for VSJ If this occurs, perform the following steps: 1. In Internet Explorer, on the Tools menu, click Internet Options. 2. Click the Security tab. 3. Click the Local intranet icon and then click Sites. 4. Click Advanced. 5. Enter the name of your server, and then click Add. 6. Click OK. If you are sure that your server is part of the Intranet Zone, but a login dialog box is still displayed, do the following to check that Windows Integrated Authentication is being used in the Intranet Zone. 1. In Internet Explorer, on the Tools menu, click Internet Options. 2. Click the Security tab. 3. Click the Local intranet icon, and then click Custom Level Scroll down the Security Settings to the User Authentication section, and then select the Automatic logon only in Intranet Zone option. If Windows Integrated Authentication is still failing then you may have incorrectly set up the SPN for VSJ (See ). See Maintenance and Troubleshooting for other possible problems. Creating Keytab Files VSJ supports two mechanisms for storing key information required to authenticate users - setting a password and using keytab files. See Keytabs and Passwords for more information on each method. To create a keytab file and use this with VSJ: 1. Generate keytab files for each service that requires authentication. This can be done with the tools included with the VSJ release. The following examples show how to create a keytab using the tools on Windows and Unix. The keytab will contain two keys, one RC4 and one DES for the SPN of HTTP/host.domain@realm with a key version number of -1 (a value which acts as a wildcard). Example of creating a keytab on Unix: /opt/vsj-3.0/bin $./jkutil.sh jktutil (type '?' for help): add_entry -password -p HTTP/host.domain@REALM -k 255 -e rc4-hmac 27

38 Vintela Single Sign-on for Java from Quest Software Password for jktutil (type '?' for help): add_entry -password -p -k 255 -e des-cbc-crc Password for jktutil (type '?' for help): list Slot KVNO Principal HTTP/host.domain@REALM HTTP/host.domain@REALM jktutil (type '?' for help): write_kt -o http_host.keytab jktutil (type '?' for help): quit /opt/vsj-3.0/bin $./jklist.sh -e -k http_host.keytab Keytab name: FILE:http_host.keytab KVNO Principal EncType HTTP/host.domain@REALM rc4-hmac -1 HTTP/host.domain@REALM des-cbc-crc /opt/vsj-3.0/bin $ Example of creating a keytab on Windows: C:\VSJ_3.0\bin> set JAVA_HOME=C:\jdk-1.4 C:\VSJ_3.0\bin> jktutil.bat jktutil (type '?' for help): addent -password -p HTTP/host.domain@REALM -k 255 -e rc4-hmac Password for HTTP/host.domain@REALM: jktutil (type '?' for help): addent -password -p HTTP/host.domain@REALM -k 255 -e des-cbc-crc Password for HTTP/host.domain@REALM: jktutil (type '?' for help): list Slot KVNO Principal HTTP/host.domain@REALM HTTP/host.domain@REALM jktutil (type '?' for help): wkt http_host.keytab jktutil (type '?' for help): quit C:\VSJ_3.0\bin> jklist.bat -e -k http_host.keytab Keytab name: FILE:http_host.keytab KVNO Principal EncType HTTP/host.domain@REALM rc4-hmac -1 HTTP/host.domain@REALM des-cbc-crc V:\VSJ_3.0\bin> 28

39 Preparing Your Deployment Environment for VSJ 2. When configuring an application for VSJ you will need to set the idm.keytab parameter (See Appendix A). The idm.keytab parameter value should point to the keytab file you generated for this service when you set up the application server. 3. Copy the generated keytab from Step 1 to the location specified by the idm.keytab parameter. The new keytab contains sensitive information that could be used to subvert the security of your VSJ installation so make sure that you set appropriate access permissions on this file, and do not send it over unsecured networks unencrypted. 29

40 Vintela Single Sign-on for Java from Quest Software 30

41 3 Deploying VSJ JBoss Edition Overview Installing VSJ JBoss Edition Configuring the VSJ Examples Deploying Web Components Using VSJ JBoss Edition Setting Up Logging Using VSJ Credential Delegation Cross-Domain Issues

42 Vintela Single Sign-on for Java from Quest Software Overview This chapter describes how to install VSJ JBoss Edition and then build SSO solutions using VSJ-protected Servlets and JSPs. It also shows how to extend a Servlet/JSP to support credential delegation for authenticating to other services such as ASP applications on an IIS Web server, as well as how to set up audit logging. Cross-Domain Issues describes some of the issues that should be considered when clients reside in a different Active Directory domain from the application server where VSJ is installed. Installing VSJ JBoss Edition To obtain a license for VSJ This distribution requires a VSJ license and does not include one; you must supply one yourself, as described below. The license is packaged as a JAR file so that it can be installed the same way VSJ's other JAR files are installed. Evaluation licenses are available by filling out the VSJ evaluation download form. You will receive an message that includes the license jar file as an attachment. Some clients rename the attachment to vsj-license.zip; in this case you may have to re-rename the saved file to vsj-license.jar Once you have a current license jar, add it to the lib/ directory alongside the other VSJ libraries. To install the VSJ components using Ant 1. If you have Apache Ant installed, you can run the deployment script to install VSJ libraries. 2. Edit the build.properties file (in the top-level directory of the VSJ JBoss distribution) and set the following properties: jboss.home The directory of your JBoss installation (for example: C:/jboss GA) jboss.server The JBoss server configuration under which you want to run VSJ (for example: default) 3. Run ant deploy_vsj. 4. Restart JBoss. OR 32

43 Deploying VSJ JBoss Edition To copy the VSJ libraries to the appropriate location manually 1. Copy the following jar files to ${jboss.home} /server/${jboss.server} /lib directory (where jboss.home and jboss.server are as described above): lib/vsj-jboss-3.2.jar lib/vsj-license.jar thirdparty/lib/jcifs jar thirdparty/lib/jldap.jar 2. Restart JBoss. To complete the installation JBoss has a configuration parameter for the maximum size of an HTTP header. By default it is 4096, which is too small for some HTTP Negotiate auth headers generated by Internet Explorer/Active Directory, especially those for users with a large number of group memberships. The configuration parameter maxhttpheadersize should be changed in ${jboss.home}/server/${jboss.server}/deploy/jbossweb-tomcat55.sar/server. xml (where jboss.home and jboss.server are as described above, note: path may vary slightly depending on version of JBoss). Configuring the VSJ Examples The distribution contains a number of examples demonstrating how to use VSJ JBoss Edition. To configure the examples, edit the sample vsj.properties file in the examples/ directory and configure the following parameters. This properties file is used as the configuration for all examples. idm.princ, idm.realm These parameters should be set to the Kerberos service principal name and the Active Directory domain to be used for authentication respectively. The combination of idm.princ@idm.realm should match the value that you set as the primary SPN when preparing your deployment environment. For example: 33

44 Vintela Single Sign-on for Java from Quest Software For Primary SPN: Use values: idm.princ: HTTP/host.domain.com idm.realm: DOMAIN.COM idm.password / idm.keytab The idm.password parameter should be set to the password of the Kerberos service principal specified by idm.princ and created when setting up your VSJ deployment environment. VSJ will create an in-memory keytab using this password. Alternatively, idm.keytab can be used to specify a file keytab containing the key for the service principal. idm.allowunsecured Specifies whether to allow authentication over HTTP (rather than requiring HTTPS). This option can be set to true for development and testing but it is strongly recommended that it is not set in a production environment unless there is a very low risk of an attacker accessing the communication channel between the client and server. The default is false. idm.ad.qualifyuserprincipal idm.ad.site idm.allowntlm Fully qualify the authenticated user name returned by VSJ. For example, append the Active Directory domain name. The default is false. The Active Directory site in which this server should be placed. Specifies whether to allow fallback to NTLM authentication. This is required if you want to use VSJ with pre-windows 2000/XP Internet Explorer browsers which do not support SPNEGO. The default is false. Once these parameters are configured, you can build and deploy the examples. See the README files in each example s individual directory for more specific details. The recommended example for getting started is the 'simple' example. 34

45 Deploying VSJ JBoss Edition Deploying Web Components Using VSJ JBoss Edition To deploy web components using VSJ JBoss Edition 1. Create a new file called vsj.properties, and set your VSJ configuration properties as required. For example: # The Active Directory domain to be used for authentication. idm.realm = EXAMPLE.COM # The Active Directory service principal. idm.princ = HTTP/appserver.example.com ## Must configure one of: (a) idm.keytab, (b) idm.password # The keytab file of the service principal specified above. #idm.keytab= # The password of the service principal specified above. idm.password=password See Appendix A for the complete set of VSJ configuration parameters. 2. Create a login-config.xml file as follows: 35

46 Vintela Single Sign-on for Java from Quest Software This file is based on the ${jboss.home}/server/${jboss.server} /conf/login-config.xml which sets up the configuration for the security domains available to applications running in the server. This file basically hooks up a security domain to the VSJ login module(s). The "name" attribute on the "application-policy" element (in this case "vsj-app") specifies the name of the security domain. The name is used to tie the security domain to the web application. This custom login-config.xml is added to the root directory of your EAR file, which must be configured to use dynamic login configuration. The JBoss admin guide has more details on how to do this, but the basic files/changes required to do so are here. eg. meta-inf/jboss-app.xml <jboss-app> <module> <service>login-service.xml</service> </module> </jboss-app> eg. login-service.xml <server> <mbean code="org.jboss.security.auth.login.dynamicloginconfig" name="simple_ex:service=dynamicloginconfig"> <attribute name="authconfig">login-config.xml</attribute> <depends optional-attribute-name="loginconfigservice"> jboss.security:service=xmlloginconfig </depends> <depends optional-attribute-name="securitymanagerservice"> jboss.security:service=jaassecuritymanager </depends> </mbean> </server> Alternatively, the ${jboss.home}/server/${jboss.server} /conf/login-config.xml can be modified directly. This configuration change will be app-server wide, but in this case dynamic login configuration won't be necessary. 3. Configure the web application for security by adding constraints to the web deployment descriptor. You need to modify the web.xml in the WEB-INF directory of the web application you are securing to add in the following: <security-constraint> <web-resource-collection> <web-resource-name>all resources</web-resource-name> <description>protects all resources</description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>webappuser</role-name> </auth-constraint> 36

47 Deploying VSJ JBoss Edition </security-constraint> <security-role> <role-name>webappuser</role-name> </security-role> The "security-constraint" section is what is used to define what resources in the web application are protected. You can have multiple security-constraint elements in the web.xml that have different protections for different resources. You have to have at least one web-resource-collection element to specify what this constraint it protecting. The "url-pattern" element specifies the URL pattern to protect. The example above protects _all_ resources in the web application. The auth-constraint element specifies which roles have access to the protected resource. The example just specifies one role, but multiple roles can be included by specifying additional role-name elements. Role names and mappings can be specified in the rolemapping.properties file in the format "rolename=user/group1[,user/group2...]". For example: 4. Configure the jboss-web.xml file to point to the "vsj-app" application. Add/edit the jboss-web.xml in the WEB-INF directory of the web application you are securing to add the following in the "jboss-web" element: <jboss-web> <security-domain flushonsessioninvalidation="true"> java:/jaas/vsj-app </security-domain> </jboss-web> This element tells JBoss AS to connect the web application to the "vsj-app" security domain we specified in the login-config.xml file earlier. JBoss AS exposes security domains via JNDI by prepending "java:/jaas/" to the name element in the application-policy element in the login-config.xml file. 37

48 Vintela Single Sign-on for Java from Quest Software 5. Configure the context.xml file to use the VSJ JBoss Edition valves. Add/edit the context.xml in the WEB-INF directory of the web application you are securing to add the following in the "jboss-web" element: <Context> <Valve classname="com.quest.vsj.jboss.auth. VsjAuthValve" /> <!-- This extra valve is required only if NTLM authentication is used --> <Valve classname="com.quest.vsj.jboss.auth. VsjFauxNtlmValve" /> </Context> 6. Rebuild your VSJ-enabled web application and deploy. Setting Up Logging VSJ JBoss Edition integrates with the Log4J logging framework used by JBoss. The Log4J configuration file can be found at ${jboss.home}/server/ ${jboss.server}/conf/log4j.xml. The easiest way to enable VSJ logging is to edit the Log4J configuration file and create two new categories: <category name="com.wedgetail"> <priority value="debug"/> <appender-ref ref="file"/> </category> <category name="com.quest"> <priority value="debug"/> <appender-ref ref="file"/> </category> This will output VSJ log messages at a DEBUG level to the default JBoss log file. More details on logging levels and how to configure Log4J can be found at Additional logging can be switched on by starting JBoss with the VSJ debug flags: set JAVA_OPTS=%JAVA_OPTS% -Djcsi.kerberos.debug=true -Didm.spnego.debug=true 38

49 Deploying VSJ JBoss Edition Using VSJ Credential Delegation One of the most powerful features of VSJ is its support for credential delegation. This feature allows Java EE components deployed with VSJ to use credentials provided by the client to authenticate to other services on the client's behalf. This works as shown in Figure 1. Delegation does not work for users authenticated using NTLM. Figure 1: Credential Delegation 39

Vintela Single Sign-on for Java. Deployment Guide Standard Edition 3.2

Vintela Single Sign-on for Java. Deployment Guide Standard Edition 3.2 Vintela Single Sign-on for Java Deployment Guide Standard Edition 3.2 2007 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described

More information

Vintela Single Sign-on for Java from Quest Software. Deployment Guide WebSphere Edition 3.2

Vintela Single Sign-on for Java from Quest Software. Deployment Guide WebSphere Edition 3.2 Vintela Single Sign-on for Java from Quest Software Deployment Guide WebSphere Edition 3.2 Vintela Single Sign-on for Java(c) 2006 Quest Software, Inc. All rights reserved. No part of this work may be

More information

Quest Single Sign-On 3.3 FOR TOMCAT. Reference Guide

Quest Single Sign-On 3.3 FOR TOMCAT. Reference Guide Quest Single Sign-On FOR TOMCAT 3.3 Reference Guide 2009 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide

More information

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications Copyright Notice The correct bibliographic citation for this manual is as follows: SAS Institute Inc., Configuring

More information

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications Copyright Notice The correct bibliographic citation for this manual is as follows: SAS Institute Inc., Configuring

More information

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory HOWTO, 2 nd edition Introduction... 2 Integration using the Lights-Out Migration Utility... 2 Integration using the ilo web interface...

More information

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications Copyright Notice The correct bibliographic citation for this manual is as follows: SAS Institute Inc., Configuring

More information

Kerberos and Windows SSO Guide Jahia EE v6.1

Kerberos and Windows SSO Guide Jahia EE v6.1 Documentation Kerberos and Windows SSO Guide Jahia EE v6.1 Jahia delivers the first Web Content Integration Software by combining Enterprise Web Content Management with Document and Portal Management features.

More information

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software Avocent, the Avocent logo, The Power of Being There and DSView are registered trademarks of Avocent

More information

PingFederate. IWA Integration Kit. User Guide. Version 3.0

PingFederate. IWA Integration Kit. User Guide. Version 3.0 PingFederate IWA Integration Kit Version 3.0 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate IWA Integration Kit User Guide Version 3.0 April, 2012 Ping Identity Corporation

More information

IceWarp Server - SSO (Single Sign-On)

IceWarp Server - SSO (Single Sign-On) IceWarp Server - SSO (Single Sign-On) Probably the most difficult task for me is to explain the new SSO feature of IceWarp Server. The reason for this is that I have only little knowledge about it and

More information

Single Sign-On Using SPNEGO

Single Sign-On Using SPNEGO Single Sign-On Using SPNEGO Introduction As of Percussion CM Server version 7.0.2, build 201106R01, patch level RX-17069, Windows Single Sign-On (SSO) using SPNEGO is now supported. Through the SSO feature,

More information

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication Summary STEP- BY- STEP GUIDE TO CONFIGURE SINGLE SIGN- ON FOR HTTP REQUESTS USING SPNEGO WEB AUTHENTICATION

More information

BusinessObjects 4.0 Windows AD Single Sign on Configuration

BusinessObjects 4.0 Windows AD Single Sign on Configuration TUBusinessObjects 4.0 Single Sign OnUT BusinessObjects 4.0 Single Sign On also called SSO with Windows AD requires few steps to take. Most of the steps are dependent on each other. Certain steps cannot

More information

Single Sign-On for Kerberized Linux and UNIX Applications

Single Sign-On for Kerberized Linux and UNIX Applications Likewise Enterprise Single Sign-On for Kerberized Linux and UNIX Applications AUTHOR: Manny Vellon Chief Technology Officer Likewise Software Abstract This document describes how Likewise facilitates the

More information

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Leverage Active Directory with Kerberos to Eliminate HTTP Password Leverage Active Directory with Kerberos to Eliminate HTTP Password PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website: www.pistolstar.com

More information

CA Performance Center

CA Performance Center CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

More information

How-to: Single Sign-On

How-to: Single Sign-On How-to: Single Sign-On Document version: 1.02 nirva systems info@nirva-systems.com nirva-systems.com How-to: Single Sign-On - page 2 This document describes how to use the Single Sign-On (SSO) features

More information

Guide to SASL, GSSAPI & Kerberos v.6.0

Guide to SASL, GSSAPI & Kerberos v.6.0 SYMLABS VIRTUAL DIRECTORY SERVER Guide to SASL, GSSAPI & Kerberos v.6.0 Copyright 2011 www.symlabs.com Chapter 1 Introduction Symlabs has added support for the GSSAPI 1 authentication mechanism, which

More information

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ) WHITE PAPER Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ) SEPTEMBER 2004 Overview Password-based authentication is weak and smart cards offer a way to address this weakness,

More information

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu 7.5.2 (Windows 7) On Pc Or Ipad

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu 7.5.2 (Windows 7) On Pc Or Ipad Deploying CTERA Agent via Microsoft Active Directory and Single Sign On Cloud Attached Storage September 2015 Version 5.0 Copyright 2009-2015 CTERA Networks Ltd. All rights reserved. No part of this document

More information

Active Directory and DirectControl

Active Directory and DirectControl WHITE PAPER CENTRIFY CORP. Active Directory and DirectControl APRIL 2005 The Right Choice for Enterprise Identity Management and Infrastructure Consolidation ABSTRACT Microsoft s Active Directory is now

More information

PingFederate. IWA Integration Kit. User Guide. Version 2.6

PingFederate. IWA Integration Kit. User Guide. Version 2.6 PingFederate IWA Integration Kit Version 2.6 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate IWA Integration Kit User Guide Version 2.6 March, 2012 Ping Identity Corporation

More information

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications Copyright Notice The correct bibliographic citation for this manual is as follows: SAS Institute Inc., Configuring

More information

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter Technical White Paper Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter For the Windows Operation System Software Version 9.40 Table of Contents Introduction...

More information

800-782-3762 www.stbernard.com. Active Directory 2008 Implementation. Version 6.410

800-782-3762 www.stbernard.com. Active Directory 2008 Implementation. Version 6.410 800-782-3762 www.stbernard.com Active Directory 2008 Implementation Version 6.410 Contents 1 INTRODUCTION...2 1.1 Scope... 2 1.2 Definition of Terms... 2 2 SERVER CONFIGURATION...3 2.1 Supported Deployment

More information

Windows Security and Directory Services for UNIX using Centrify DirectControl

Windows Security and Directory Services for UNIX using Centrify DirectControl SOLUTION GUIDE CENTRIFY CORP. SEPTEMBER 2005 Windows Security and Directory Services for UNIX using Centrify DirectControl With Centrify, you can now fully leverage your investment in Active Directory

More information

TIBCO ActiveMatrix BPM Single Sign-On

TIBCO ActiveMatrix BPM Single Sign-On Software Release 3.1 November 2014 Two-Second Advantage 2 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE

More information

Defender 5.7. Remote Access User Guide

Defender 5.7. Remote Access User Guide Defender 5.7 Remote Access User Guide 2012 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished

More information

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2 White Paper Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System Fabasoft Folio 2015 Update Rollup 2 Copyright Fabasoft R&D GmbH, Linz, Austria, 2015. All rights reserved. All

More information

Centrify Identity and Access Management for Cloudera

Centrify Identity and Access Management for Cloudera Centrify Identity and Access Management for Cloudera Integration Guide Abstract Centrify Server Suite is an enterprise-class solution that secures Cloudera Enterprise Data Hub leveraging an organization

More information

Configure the Application Server User Account on the Domain Server

Configure the Application Server User Account on the Domain Server How to Set up Kerberos Summary This guide guide provides the steps required to set up Kerberos Configure the Application Server User Account on the Domain Server The following instructions are based on

More information

Siteminder Integration Guide

Siteminder Integration Guide Integrating Siteminder with SA SA - Siteminder Integration Guide Abstract The Junos Pulse Secure Access (SA) platform supports the Netegrity Siteminder authentication and authorization server along with

More information

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks

More information

Troubleshooting Kerberos Errors

Troubleshooting Kerberos Errors Troubleshooting Kerberos Errors Abstract Microsoft Corporation Published: March 2004 This white paper can help you troubleshoot Kerberos authentication problems that might occur in a Microsoft Windows

More information

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide Quest ChangeAuditor FOR ACTIVE DIRECTORY 5.1 User Guide Copyright Quest Software, Inc. 2010. All rights reserved. This guide contains proprietary information protected by copyright. The software described

More information

Enabling single sign-on for Cognos 8/10 with Active Directory

Enabling single sign-on for Cognos 8/10 with Active Directory Enabling single sign-on for Cognos 8/10 with Active Directory Overview QueryVision Note: Overview This document pulls together information from a number of QueryVision and IBM/Cognos material that are

More information

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website:

More information

Use Enterprise SSO as the Credential Server for Protected Sites

Use Enterprise SSO as the Credential Server for Protected Sites Webthority HOW TO Use Enterprise SSO as the Credential Server for Protected Sites This document describes how to integrate Webthority with Enterprise SSO version 8.0.2 or 8.0.3. Webthority can be configured

More information

Security Provider Integration Kerberos Authentication

Security Provider Integration Kerberos Authentication Security Provider Integration Kerberos Authentication 2015 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are

More information

Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server.

Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server. Configuring IBM Tivoli Integrated Portal server for single sign-on using Simple and Protected GSSAPI Negotiation Mechanism, and Microsoft Active Directory services Document version 1.0 Copyright International

More information

EMC Documentum Kerberos SSO Authentication

EMC Documentum Kerberos SSO Authentication A Detailed Review Abstract This white paper introduces and describes a Kerberos-based EMC Documentum environment, and explains how to deploy such a system with single sign-on (SSO) on the Documentum platform.

More information

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008 Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008 Nature of Document: Guideline Product(s): IBM Cognos Express Area of Interest: Infrastructure 2 Copyright and Trademarks Licensed Materials

More information

Kerberos authentication made easy on OpenVMS

Kerberos authentication made easy on OpenVMS Kerberos authentication made easy on OpenVMS Author: Srinivasa Rao Yarlagadda yarlagadda-srinivasa.rao@hp.com Co-Author: Rupesh Shantamurty rupeshs@hp.com OpenVMS Technical Journal V18 Table of contents

More information

Entrust Managed Services PKI

Entrust Managed Services PKI Entrust Managed Services PKI Entrust Managed Services PKI Windows Smart Card Logon Configuration Guide Using Web-based applications Document issue: 1.0 Date of Issue: June 2009 Copyright 2009 Entrust.

More information

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved. Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,

More information

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide IBM SPSS Collaboration and Deployment Services Version 6 Release 0 Single Sign-On Services Developer's Guide Note Before using this information and the product it supports, read the information in Notices

More information

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication

More information

Defender Delegated Administration. User Guide

Defender Delegated Administration. User Guide Defender Delegated Administration User Guide 2012 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished

More information

Managing an Active Directory Infrastructure

Managing an Active Directory Infrastructure 3 CHAPTER 3 Managing an Active Directory Infrastructure Objectives This chapter covers the following Microsoft-specified objectives for the Planning and Implementing an Active Directory Infrastructure

More information

Installation and Configuration Guide

Installation and Configuration Guide Entrust Managed Services PKI Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0 Date of Issue: July 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark

More information

Juniper Networks Secure Access Kerberos Constrained Delegation

Juniper Networks Secure Access Kerberos Constrained Delegation Juniper Networks Secure Access Kerberos Constrained Delegation Release 6.4 CONTENT 1. BACKGROUND...3 2. SETTING UP CONSTRAINED DELEGATION...5 2.1 ACTIVE DIRECTORY CONFIGURATION...5 2.1.1 Create a Kerberos

More information

4.0. Offline Folder Wizard. User Guide

4.0. Offline Folder Wizard. User Guide 4.0 Offline Folder Wizard User Guide Copyright Quest Software, Inc. 2007. All rights reserved. This guide contains proprietary information, which is protected by copyright. The software described in this

More information

Configuring IBM Cognos Controller 8 to use Single Sign- On

Configuring IBM Cognos Controller 8 to use Single Sign- On Guideline Configuring IBM Cognos Controller 8 to use Single Sign- On Product(s): IBM Cognos Controller 8.2 Area of Interest: Security Configuring IBM Cognos Controller 8 to use Single Sign-On 2 Copyright

More information

www.stbernard.com Active Directory 2008 Implementation Guide Version 6.3

www.stbernard.com Active Directory 2008 Implementation Guide Version 6.3 800 782 3762 www.stbernard.com Active Directory 2008 Implementation Guide Version 6.3 Contents 1 INTRODUCTION... 2 1.1 Scope... 2 1.2 Definition of Terms... 2 2 SERVER CONFIGURATION... 3 2.1 Supported

More information

Using Active Directory as your Solaris Authentication Source

Using Active Directory as your Solaris Authentication Source Using Active Directory as your Solaris Authentication Source The scope of this paper is to document how a newly installed Solaris 10 server can be configured to use an Active Directory directory service

More information

Dell Compellent Storage Center

Dell Compellent Storage Center Dell Compellent Storage Center Active Directory Integration Best Practices Guide Dell Compellent Technical Solutions Group January, 2013 THIS BEST PRACTICES GUIDE IS FOR INFORMATIONAL PURPOSES ONLY, AND

More information

TopEase Single Sign On Windows AD

TopEase Single Sign On Windows AD TopEase Single Sign On Windows AD Version Control: Version Status Datum / Kurzzeichen Begründung 1.0 Final 09.09.12 / gon New template and logo Copyright: This document is the property of Business-DNA

More information

Single Sign-on (SSO) technologies for the Domino Web Server

Single Sign-on (SSO) technologies for the Domino Web Server Single Sign-on (SSO) technologies for the Domino Web Server Jane Marcus December 7, 2011 2011 IBM Corporation Welcome Participant Passcode: 4297643 2011 IBM Corporation 2 Agenda USA Toll Free (866) 803-2145

More information

KERBEROS ENVIRONMENT SETUP FOR EMC DOCUMENTUM CENTERSTAGE

KERBEROS ENVIRONMENT SETUP FOR EMC DOCUMENTUM CENTERSTAGE White Paper KERBEROS ENVIRONMENT SETUP FOR EMC DOCUMENTUM CENTERSTAGE Abstract This white paper explains how to setup Kerberos environment for CenterStage with Single / Multi-Repository, Multi-Docbase

More information

Blue Coat Security First Steps Solution for Integrating Authentication

Blue Coat Security First Steps Solution for Integrating Authentication Solution for Integrating Authentication using IWA Direct SGOS 6.5 Third Party Copyright Notices 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER,

More information

Configuring Sponsor Authentication

Configuring Sponsor Authentication CHAPTER 4 Sponsors are the people who use Cisco NAC Guest Server to create guest accounts. Sponsor authentication authenticates sponsor users to the Sponsor interface of the Guest Server. There are five

More information

TIBCO ActiveMatrix BPM Single Sign-On

TIBCO ActiveMatrix BPM Single Sign-On TIBCO ActiveMatrix BPM Single Sign-On Software Release 4.0 November 2015 Two-Second Advantage 2 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR

More information

Windows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation

Windows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation Topics Single Sign-on Kerberos v5 integration Active Directory security Delegation of authentication

More information

Active Directory and Linux Identity Management

Active Directory and Linux Identity Management Active Directory and Linux Identity Management Published by the Open Source Software Lab at Microsoft. December 2007. Special thanks to Chris Travers, Contributing Author to the Open Source Software Lab.

More information

CA Nimsoft Service Desk

CA Nimsoft Service Desk CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

Quick Start Guide for VMware and Windows 7

Quick Start Guide for VMware and Windows 7 PROPALMS VDI Version 2.1 Quick Start Guide for VMware and Windows 7 Rev. 1.1 Published: JULY-2011 1999-2011 Propalms Ltd. All rights reserved. The information contained in this document represents the

More information

Identikey Server Windows Installation Guide 3.1

Identikey Server Windows Installation Guide 3.1 Identikey Server Windows Installation Guide 3.1 Disclaimer of Warranties and Limitations of Liabilities Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an 'as is' basis,

More information

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0 Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0 February 8, 2013 Version 1.0 Vishal Dhir Customer Solution Adoption (CSA) www.sap.com TABLE OF CONTENTS INTRODUCTION... 3 What

More information

Networking Best Practices Guide. Version 6.5

Networking Best Practices Guide. Version 6.5 Networking Best Practices Guide Version 6.5 Summer 2010 Copyright: 2010, CCH, a Wolters Kluwer business. All rights reserved. Material in this publication may not be reproduced or transmitted in any form

More information

Dell One Identity Cloud Access Manager 8.0.1 - How to Configure Microsoft Office 365

Dell One Identity Cloud Access Manager 8.0.1 - How to Configure Microsoft Office 365 Dell One Identity Cloud Access Manager 8.0.1 - How to Configure Microsoft Office 365 May 2015 This guide describes how to configure Microsoft Office 365 for use with Dell One Identity Cloud Access Manager

More information

Foglight. Foglight for Virtualization, Free Edition 6.5.2. Installation and Configuration Guide

Foglight. Foglight for Virtualization, Free Edition 6.5.2. Installation and Configuration Guide Foglight Foglight for Virtualization, Free Edition 6.5.2 Installation and Configuration Guide 2013 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright.

More information

Configuring Single Sign-On for Application Launch in OpenManage Essentials

Configuring Single Sign-On for Application Launch in OpenManage Essentials Configuring Single Sign-On for Application Launch in OpenManage Essentials This Dell Technical White paper provides information required to configure Single Sign-On (SSO)for launching the idrac console

More information

User Source and Authentication Reference

User Source and Authentication Reference User Source and Authentication Reference ZENworks 11 www.novell.com/documentation Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation,

More information

Deploying System Center 2012 R2 Configuration Manager

Deploying System Center 2012 R2 Configuration Manager Deploying System Center 2012 R2 Configuration Manager This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

More information

Oracle Enterprise Single Sign-on Logon Manager. Installation and Setup Guide Release 11.1.1.2.0 E15720-02

Oracle Enterprise Single Sign-on Logon Manager. Installation and Setup Guide Release 11.1.1.2.0 E15720-02 Oracle Enterprise Single Sign-on Logon Manager Installation and Setup Guide Release 11.1.1.2.0 E15720-02 November 2010 Oracle Enterprise Single Sign-on Logon Manager, Installation and Setup Guide, Release

More information

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0 Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0 June 14, 2013 Version 2.0 Vishal Dhir Customer Solution Adoption (CSA) www.sap.com TABLE OF CONTENTS INTRODUCTION... 3 What

More information

Optimization in a Secure Windows Environment

Optimization in a Secure Windows Environment WHITE PAPER Optimization in a Secure Windows Environment A guide to the preparation, configuration and troubleshooting of Riverbed Steelhead appliances for Signed SMB and Encrypted MAPI September 2013

More information

Implementing Domain Name Service (DNS)

Implementing Domain Name Service (DNS) Implementing Domain Name Service (DNS) H C A 1 P T E R ITINERARY Objective 1.01 Objective 1.02 Objective 1.03 Install and Configure DNS for Active Directory Integrate Active Directory DNS Zones with Existing

More information

Likewise Security Benefits

Likewise Security Benefits Likewise Enterprise Likewise Security Benefits AUTHOR: Manny Vellon Chief Technology Officer Likewise Software Abstract This document describes how Likewise improves the security of Linux and UNIX computers

More information

UPGRADING TO XI 3.1 SP6 AND SINGLE SIGN ON. Chad Watson Sr. Business Intelligence Developer

UPGRADING TO XI 3.1 SP6 AND SINGLE SIGN ON. Chad Watson Sr. Business Intelligence Developer UPGRADING TO XI 3.1 SP6 AND SINGLE SIGN ON Chad Watson Sr. Business Intelligence Developer UPGRADING TO XI 3.1 SP6 What Business Objects Administrators should consider before installing a Service Pack.

More information

BlueCoat s Guide to Authentication V1.0

BlueCoat s Guide to Authentication V1.0 BlueCoat s Guide to Authentication V1.0 Blue Coat and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered in certain jurisdictions. All other product or service names are

More information

RSA Authentication Manager 7.1 Basic Exercises

RSA Authentication Manager 7.1 Basic Exercises RSA Authentication Manager 7.1 Basic Exercises Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks RSA and the RSA logo

More information

Citrix Systems, Inc.

Citrix Systems, Inc. Citrix Password Manager Quick Deployment Guide Install and Use Password Manager on Presentation Server in Under Two Hours Citrix Systems, Inc. Notice The information in this publication is subject to change

More information

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab Microsoft Corporation Published: May, 2005 Author: Microsoft Corporation Abstract This guide describes how to create

More information

Active Directory Adapter with 64-bit Support Installation and Configuration Guide

Active Directory Adapter with 64-bit Support Installation and Configuration Guide IBM Security Identity Manager Version 6.0 Active Directory Adapter with 64-bit Support Installation and Configuration Guide SC27-4384-02 IBM Security Identity Manager Version 6.0 Active Directory Adapter

More information

Request Manager Installation and Configuration Guide

Request Manager Installation and Configuration Guide Request Manager Installation and Configuration Guide vcloud Request Manager 1.0.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced

More information

Xerox DocuShare Security Features. Security White Paper

Xerox DocuShare Security Features. Security White Paper Xerox DocuShare Security Features Security White Paper Xerox DocuShare Security Features Businesses are increasingly concerned with protecting the security of their networks. Any application added to a

More information

Setting Up Resources in VMware Identity Manager

Setting Up Resources in VMware Identity Manager Setting Up Resources in VMware Identity Manager VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced

More information

SafeGuard Enterprise Web Helpdesk

SafeGuard Enterprise Web Helpdesk SafeGuard Enterprise Web Helpdesk Product version: 5.60 Document date: April 2011 Contents 1 SafeGuard web-based Challenge/Response...3 2 Installation...5 3 Authentication...8 4 Select the Web Help Desk

More information

Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory

Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory W H I T E P A P E R C E N T R I F Y C O R P. M A Y 2008 Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory The Active Directory-Based Single Sign-On Solution

More information

IDENTIKEY Server Windows Installation Guide 3.2

IDENTIKEY Server Windows Installation Guide 3.2 IDENTIKEY Server Windows Installation Guide 3.2 Disclaimer of Warranties and Limitations of Liabilities Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an 'as is' basis,

More information

NETASQ SSO Agent Installation and deployment

NETASQ SSO Agent Installation and deployment NETASQ SSO Agent Installation and deployment Document version: 1.3 Reference: naentno_sso_agent Page 1 / 20 Copyright NETASQ 2013 General information 3 Principle 3 Requirements 3 Active Directory user

More information

Using SUSE Linux Enterprise Desktop with Microsoft * Active Directory Infrastructure

Using SUSE Linux Enterprise Desktop with Microsoft * Active Directory Infrastructure Technical White Paper DESKTOP www.novell.com Using SUSE Linux Enterprise Desktop with Microsoft * Active Directory Infrastructure * Using SUSE Linux Enterprise Desktop with Microsoft Active Directory Infrastructure

More information

Module 1: Introduction to Active Directory Infrastructure

Module 1: Introduction to Active Directory Infrastructure Module 1: Introduction to Active Directory Infrastructure Contents Overview 1 Lesson: The Architecture of Active Directory 2 Lesson: How Active Directory Works 10 Lesson: Examining Active Directory 19

More information

Web Portal Installation Guide 5.0

Web Portal Installation Guide 5.0 Web Portal Installation Guide 5.0 2011 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under

More information

Configuration Guide BES12. Version 12.2

Configuration Guide BES12. Version 12.2 Configuration Guide BES12 Version 12.2 Published: 2015-07-07 SWD-20150630131852557 Contents About this guide... 8 Getting started... 9 Administrator permissions you need to configure BES12... 9 Obtaining

More information

AD RMS Step-by-Step Guide

AD RMS Step-by-Step Guide AD RMS Step-by-Step Guide Microsoft Corporation Published: March 2008 Author: Brian Lich Editor: Carolyn Eller Abstract This step-by-step guide provides instructions for setting up a test environment to

More information

Using Logon Agent for Transparent User Identification

Using Logon Agent for Transparent User Identification Using Logon Agent for Transparent User Identification Websense Logon Agent (also called Authentication Server) identifies users in real time, as they log on to domains. Logon Agent works with the Websense

More information

VMware Identity Manager Administration

VMware Identity Manager Administration VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information