Kerberos and Windows SSO Guide Jahia EE v6.1



Similar documents
ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

Single Sign-On Using SPNEGO

KERBEROS ENVIRONMENT SETUP FOR EMC DOCUMENTUM CENTERSTAGE

Configure the Application Server User Account on the Domain Server

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server.

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

BusinessObjects 4.0 Windows AD Single Sign on Configuration

How-to: Single Sign-On

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

EMC Documentum Kerberos SSO Authentication

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

IceWarp Server - SSO (Single Sign-On)

Using Kerberos tickets for true Single Sign On

UPGRADING TO XI 3.1 SP6 AND SINGLE SIGN ON. Chad Watson Sr. Business Intelligence Developer

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Configuring Single Sign-on for SAP HANA

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

Using Active Directory as your Solaris Authentication Source

Configuring Single Sign-On for Application Launch in OpenManage Essentials

PingFederate. IWA Integration Kit. User Guide. Version 3.0

HRSWEB ActiveDirectory How-To

Single Sign On (SSO) solution for BMC Remedy Action Request System

PingFederate. IWA Integration Kit. User Guide. Version 2.6

Integrating OID with Active Directory and WNA

Perforce Helix Threat Detection OVA Deployment Guide

Ensure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files.

Single Sign-on (SSO) technologies for the Domino Web Server

Guide to SASL, GSSAPI & Kerberos v.6.0

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Kerberos Delegation with SAS 9.4

TIBCO ActiveMatrix BPM Single Sign-On

TopEase Single Sign On Windows AD

Active Directory 2008 Implementation Guide Version 6.3

SSO Plugin. Troubleshooting. J System Solutions. Version 3.4

INUVIKA TECHNICAL GUIDE

SSO Plugin. Troubleshooting. J System Solutions. Version 3.5

SAP SINGLE SIGN-ON AND SECURE CONNECTIONS VIA SNC ADAPTER. Author : Matthias Schlarb, REALTECH system consulting GmbH. matthias.schlarb@realtech.

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

Configuring Single Sign-on Between WebSphere Portal V6.1 and Windows Desktop using SPNEGO TAI

TIBCO ActiveMatrix BPM Single Sign-On

Comodo Certificate Manager Software Version 4.5

Using OpenSSH in a Single Sign-On Corporate Environment with z/os, Windows and Linux

Kerberos: Single Sign On for BS2000

SSO Plugin. J System Solutions. Troubleshooting SSO Plugin - BMC AR System & Mid Tier.

CA Performance Center

Configuring Active Directory Single Sign-On (AD SSO)

Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access

SSO Plugin. Configuration of BMC Mid Tier, HP Web Tier and Authentication Service. J System Solutions. Version 4.

Vintela Single Sign-on for Java. Deployment Guide JBoss Edition 3.2

EMC Documentum My Documentum for Microsoft SharePoint

Active Directory 2008 Implementation. Version 6.410

Pulse Policy Secure. UAC Solution Guide for SRX Series Services Gateways. Product Release 5.1. Document Revision 1.0 Published:

Centrify Identity and Access Management for Cloudera

Vintela Single Sign-on for Java. Deployment Guide Standard Edition 3.2

Kerberos -Based Active Directory Authentication to Support Smart Card and Single Sign-On Login to DRAC5

Enabling single sign-on for Cognos 8/10 with Active Directory

SINGLE SIGN-ON FOR MTWEB

Kerberos on z/os. Active Directory On Windows Server William Mosley z/os NAS Development. December Interaction with.

Configuring Sponsor Authentication

SSO Plugin. J System Solutions. Upgrading SSO Plugin 3x to 4x - BMC AR System & Mid Tier.

Kerberos Constrained Delegation. Kerberos Constrained Delegation. Feature Description

RHEL Clients to AD Integrating RHEL clients to Active Directory

Enterprise Knowledge Platform

Author: Joshua Meckler

Single Sign-On for Kerberized Linux and UNIX Applications

White paper version: 1.2 Date: 29th April 2011 AUTHORS: Vijeth R. Rajoli Krishna Chalamasandra

Configuring Active Directory Manual Authentication and SSO for BI4

User Source and Authentication Reference

McAfee Directory Services Connector extension

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Integrating WebSphere Portal V8.0 with Business Process Manager V8.0

Configuring IBM Cognos Controller 8 to use Single Sign- On

HP Archiving software for Microsoft Exchange Version 2.2

Security Provider Integration Kerberos Authentication

Desktop Web Access Single Sign-On Configuration Guide

Install guide for Websphere 7.0

Linux/Windows Security Interop: Apache with mod_auth_kerb and Windows Server 2003 R2

Active Directory Integration. Documentation. v1.02. making your facilities work for you!

Deploying RSA ClearTrust with the FirePass controller

SchoolBooking SSO Integration Guide

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

I am an SE at a large storage system vendor

Blue Coat Security First Steps Solution for Integrating Authentication

Mixed Authentication Setup

SSSD Active Directory Improvements

ADFS for. LogMeIn and join.me authentication

Integration Package for Microsoft Office SharePoint3

Dell Compellent Storage Center

Security and Kerberos Authentication with K2 Servers

Juniper Networks Secure Access Kerberos Constrained Delegation

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Transcription:

Documentation Kerberos and Windows SSO Guide Jahia EE v6.1 Jahia delivers the first Web Content Integration Software by combining Enterprise Web Content Management with Document and Portal Management features. Jahia April 2010 9 route des Jeunes, CH-1227 Les acacias Geneva, Switzerland www.jahia.com The Company website www.jahia.org The Community website

Summary 1 Overview...3 1.1 Introduction...3 1.2 What s in this documentation?...3 2 Prerequisites...4 3 Set up the Active Directory...5 4 Create the Keytab file...6 5 Create Kerberos configuration file (krb5.conf)...7 6 Create JAAS login configuration file (jaas-login.conf)...8 7 Test the SPN account...9 8 Set up the browser...10 8.1 Internet Explorer (min 5.0.1)...10 8.2 Firefox (min 0.9)...10 9 Configure the HTTP filter and authentication valve in Jahia...11 10 Tips and tricks when configuring Kerberos...12 10.1 ERROR [ErrorLoggingFilter] - Unexpected exception occurred...12 10.2 KrbException: Clock skew too great (37)...12 11 Related links...13 Page 2 of 14

1 Overview 1.1 Introduction Jahia delivers the first Web Content Integration software by combining Enterprise Web Content Management with Document Management and Portal features. By leveraging state of the art Open Source frameworks and libraries, Jahia offers a complete solution for developing, integrating, delivering, and managing content across intranets, extranets, and internets with a much lower total cost of ownership than proprietary systems. 1.2 What s in this documentation? Jahia is able to plug-in different authentication policies via HTTP filters and a pipeline of authentication valves. Some filters and valves are provided and can be activated by configuration, like for NTLM or the integration of a CAS (Central Authentication Service) server. We now also provide a filter and valve for integration with SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) to negotiate with the client and use either Kerberos or NTLM as fallback. This way a non-interactive login is possible, which takes the user logged in to the operating system running the browser. Such a secure solution is especially interesting for intranets running with Windows servers. This document describes how to configure such an environment. Should you have questions, please do not hesitate to contact us as mentioned on our website (http://www.jahia.com) or Community website (http://www.jahia.org). Page 3 of 14

2 Prerequisites JDK 1.5 Update 7 or later (otherwise the Active Directory native encryption (rc4-hmac) won't be supported and you will need to activate Kerberos DES encryption types in the Active Directory on each user account) Tomcat 6.0.19 or later (otherwise negotiation with the client will not work, when also using custom error pages for 401 errors in web.xml). If your Jahia release is shipped with an older Tomcat, then you will have to manually upgrade to the required version (described on the FAQ of.configuration and fine tuning JahiaEEv6) or if you do not need a custom error page, you can keep using the shipped Tomcat release and simply remove the following lines from Jahia's web.xml <error-page> <error-code>401</error-code> <location>/error</location> </error-page> You can make it work on Tomcat 6.0.18 by commenting the custom error pages for 401 in web.xml If using Windows Server 2008, then at least Service Pack 2 needs to be installed (otherwise only simple Kerberos user logons (e.g. via CAS) work, but checks against a Service Principle Name (SPN) will not work, as this one contains slashes (see Microsoft KB article: 951191)). For this guide we assume that you are using Windows Active Directory server. If you want to use Kerberos, then all clients and servers need to be joined in the same AD domain. If this requirement is not met, then SPNEGO will fall back to NTLM. It should also be possible to use other directory servers supporting Kerberos and you can take this guide to perhaps get some useful information also relevant for alternative environments. In the guide all terms in angle brackets <> should be replaced by terms fitting your environment or your choice. Notice also that realm names are case-sensitive and recommended to be used in UPPER CASE. Also with Kerberos you will not be able to use IP addresses or localhost but rather you will have to use the server name (DNS must be properly set up). Page 4 of 14

3 Set up the Active Directory A Service Principal Name (SPN) account needs to be created for the Jahia server. Note that this account can't be used to log in. 1. Start the Active Directory User and Computers from the Administration Tools menu. 2. Right click on the Users repository and select New > User 3. Enter user information (by example <your-spn-account> for user login), press Next. 4. Enter the <password> and select Password never expires and click on Next and then on Finish. Now in Windows server 2008 there is an extra step, which is not required in Windows server 2003: * In a console enter the command: setspn -a http/<your.jahia.server.name> <your-spn-account> Page 5 of 14

4 Create the Keytab file The Keytab file enables a trust link between the Jahia server and the Key Distribution Center (KDC). This file contains a cryptographic key. The ktpass tool, which comes from the Windows Resource Kit, is used to generate this file (in Windows Server 2008 the tool is already part of the product). In a console, enter the command: ktpass.exe /out <your-spn-account>.keytab /princ HTTP/<your.jahia.server.name>@<YOUR.AD.REALM> /pass * /mapuser <your-spn-account> /ptype krb5_nt_principal /crypto rc4-hmac-nt This command will generate the <your-spn-account>.keytab file, which has to be copied to a secret place on the Jahia server, which only the Jahia server application could read. Page 6 of 14

5 Create Kerberos configuration file (krb5.conf) On the Jahia server create the Kerberos configuration file (krb5.conf) and place it somewhere on the Jahia server. In the startup script of the Jahia server you need to add the following parameter to pick up this file: set JAVA_OPTS=%JAVA_OPTS% -Djava.security.krb5.conf=<path>\krb5.conf Here is an example: <YOUR.REALM> is the same as the domain in caps. [libdefaults] ticket_lifetime = 24000 default_realm = <YOUR.REALM> default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc [realms] <YOUR.REALM> = { kdc = <hostname.of.your.kdc>.<your.domain> } [domain_realm].<your.domain> = <YOUR.REALM> <your.domain> = <YOUR.REALM> [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log Page 7 of 14

6 Create JAAS login configuration file (jaas-login.conf) On the Jahia server create the JAAS login configuration file (jaas-login.conf) and place it to a secret place accessible for the Jahia server. In the startup script of the Jahia server you need to add the following parameter to pick up this file: set JAVA_OPTS=%JAVA_OPTS% -Djava.security.auth.login.config=<path>\jaas-login.conf set JAVA_OPTS=%JAVA_OPTS% -Djavax.security.auth.useSubjectCredsOnly=false Here is an example of the content: com.sun.security.jgss.accept { com.sun.security.auth.module.krb5loginmodule required storekey=true keytab="<path>/<your-spn-account>.keytab" donotprompt=true usekeytab=true principal="http/<your.jahia.server.name>@<your.realm>" isinitiator=false debug=false; }; Page 8 of 14

7 Test the SPN account As it is quite easy to make mistakes in the Kerberos configuration, you should test your configuration with the tools provided by Java, before starting Jahia. In order to have those tests work, you have to copy your krb5.conf file in your windows system directory and rename it krb5.ini (most often c:\windows\krb5.ini) Verify that your are able to read the keytab file: %JAVA_HOME%/bin/klist -k FILE:<path>/<your-spn-account>.keytab Then verify that your are able to read the keytab file: %JAVA_HOME%/bin/kinit -k -t FILE:<path>/<your-spn-account>.keytab HTTP/<your.jahia.server.name>@<YOUR.REALM>%JAVA_HOME%/bin/klist Page 9 of 14

8 Set up the browser 8.1 Internet Explorer (min 5.0.1) 1. In Internet Explorer, click Internet Options on the Tools menu. 2. Click on the Advanced tab, click to select the Enable Integrated Windows Authentication (requires restart) check box in the Security section, and then click OK. 3. Click on the Security tab, click to select Local Intranet then click on Sites, and then click on Advanced. 4. Enter https://<your.jahia.server.name> and validate by clicking on Add and OK. 5. Restart Internet Explorer. 8.2 Firefox (min 0.9) 1. In Firefox, enter about:config as url and click on Go. 2. On the line network.negotiate-auth.trusted-uris, right click on Modify and enter https://<your.jahia.server.name> Page 10 of 14

9 Configure the HTTP filter and authentication valve in Jahia In order to activate SPNEGO, you need to make sure that the web.xml file of your Jahia web-application has the following entries active: <filter> <filter-name>spnegohttpfilter</filter-name> <filter-class>org.jahia.bin.filters.spnego.spnegohttpfilter</filter-class> </filter> and <filter-mapping> <filter-name>spnegohttpfilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> Then you also need to edit the WEB-INF\etc\spring\applicationcontext-pipelines.xml file and add the SpnegoAuthValveImpl as the first entry in the authpipeline, like this: <bean id="authpipeline" class="org.jahia.pipelines.impl.genericpipeline"> <property name="name" value="authpipeline" /> <property name="valves"> <list> <bean class="org.jahia.params.valves.spnegoauthvalveimpl" /> <bean class="org.jahia.params.valves.tokenauthvalveimpl" />... You also need to configure WEB-INF\etc\spring\applicationcontext-services.xml to connect the users and group LDAP to your active directory, so that the users will be known by Jahia. After making these changes, you need to restart the server to make them effective. Page 11 of 14

10 Tips and tricks when configuring Kerberos First of all, we recommend you to take a look at blogs.technet.com/askds/archive/2008/03/06/kerberos-forthe-busy-admin.aspx for information about how Kerberos works. 10.1 ERROR [ErrorLoggingFilter] - Unexpected exception occurred ERROR [SpnegoParser] - Failed to parse: 32 INFO [SpnegoParser] - [0,APPLICATION_CONSTRUCTED_OBJECT,0x4e] Expected type identifier INFO [SpnegoParser] - Expected length 84 mismatch against actual 30 INFO [SpnegoParser] - [2,OID,0x4c] Expected oid identifier ERROR [ErrorLoggingFilter] - Unexpected exception occurred java.lang.nullpointerexception This error means that the Kerberos authentication is not done on the client browser. Resolution : Check your Kerberos configuration with klist and kinit tools. Look at support.microsoft.com/default.aspx to activate Kerberos event logging 10.2 KrbException: Clock skew too great (37) This error occurs when there is more than 5 minutes between Kerberos domain controller and Jahia server times. Check time and time zone. Page 12 of 14

11 Related links Here are some links to further reading and troubleshooting: Kerberos with Java Troubleshooting Advanced Security Programming in Java SE... Single Sign-On Developing with Kerberos in Java Kerberos Authentication problems Service Principal Name (SPN) issues Setting up CAS with SPNEGO Authentication Handler Page 13 of 14

9 route des Jeunes, CH-1227 Les acacias Geneva, Switzerland www.jahia.com The Company website www.jahia.org The Community website

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information