Announcement Announcement Module
Collapse
No announcement yet.
Kerberos, SSO and Machines Outside the Domain Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Kerberos, SSO and Machines Outside the Domain

    I have been POC'ing with milestone 2 of the Kerberos extension to achieve single sign-on.

    Quick summary of my setup:
    KDC: Windows Server 2003 (SP2)
    Web server: Ubuntu 10.04, Tomcat 5.5, Java 1.6.0_22 (not on the domain)
    Spring: Framework 3.0.5, Security 3.0.4, Kerberos Extension 1.0.0 M2

    I have setup my configuration to first attempt SPNEGO authentication and if it fails to then redirect to a login page.
    This is done by setting SpnegoAuthenticationProcessingFilter's "failureHandler" property. I have successfully tested this
    on Windows machines (XP and 7) that are in and out of the domain. The machines that are outside the domain gets redirected to
    the login page and then can successfully login. Here is my config:

    HTML Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:util="http://www.springframework.org/schema/util"
           xmlns:beans="http://www.springframework.org/schema/beans"
           xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans.xsd
           http://www.springframework.org/schema/util
           http://www.springframework.org/schema/util/spring-util-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
        <http entry-point-ref="spnegoEntryPoint" auto-config="false">
            <intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
            <intercept-url pattern="/j_spring_security_check*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    	<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    
    	<custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
            <form-login login-page="/login.html" default-target-url="/" always-use-default-target="true"/>
       </http>
    
       <authentication-manager alias="authenticationManager">
          <authentication-provider ref="kerberosServiceAuthenticationProvider" />
          <authentication-provider ref="kerberosAuthenticationProvider"/>
       </authentication-manager>
    
        <beans:bean id="spnegoEntryPoint"
    		class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
    
    	<beans:bean id="spnegoAuthenticationProcessingFilter"
    		class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
            <beans:property name="failureHandler">
    			<beans:bean class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
    				<beans:property name="defaultFailureUrl" value="/login.html" />
                                    <beans:property name="allowSessionCreation" value="true"/>
    			</beans:bean>
    		</beans:property>
    		<beans:property name="authenticationManager" ref="authenticationManager" />
    	</beans:bean>
    
        <beans:bean id="kerberosServiceAuthenticationProvider"
    		class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
    		<beans:property name="ticketValidator">
    			<beans:bean
    				class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
    				<beans:property name="servicePrincipal" value="HTTP/mywebserver.corpza.corp.co.za"/>
    				<beans:property name="keyTabLocation" value="classpath:mywebserver.keytab" />
    				<beans:property name="debug" value="true"/>
    			</beans:bean>
    		</beans:property>
    		<beans:property name="userDetailsService" ref="dummyUserDetailsService" />
    	</beans:bean>
    
        <beans:bean id="kerberosAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider">
    		<beans:property name="kerberosClient">
    			<beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient">
    				<beans:property name="debug" value="true" />
    			</beans:bean>
    		</beans:property>
    		<beans:property name="userDetailsService" ref="dummyUserDetailsService" />
    	</beans:bean>
    
        <beans:bean class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
    		<beans:property name="debug" value="true" />
    		<beans:property name="krbConfLocation" value="/etc/krb5.conf" />
    	</beans:bean>
    
        <beans:bean id="dummyUserDetailsService" class="main.server.DummyUserDetailsService"/>
    
      </beans:beans>
    When the Windows machine is outside the domain my web server responds with the "WWW-Authenticate Negotiate" header (as per usual) to which
    the Windows machine responds to with a NTLM header ("Negotiate TlRM..."), where the SpnegoAuthenticationProcessingFilter then says "Negotiate Header was invalid..."
    and awesomly redirects the user to the login page. Great.

    The Issue:
    There are a number of Mac and Linux machines that are permanently outside the domain which would need to use this web app.
    When they hit the web app (with FireFox 3.6) my web server responds with the expected "WWW-Authenticate Negotiate" header to inform
    the client that the web app is Kerberized, BUT neither the Mac or Linux machines responds at all. Thus the SpnegoAuthenticationProcessingFilter
    doesn't get entered again and hence no failure and subsequently no redirection to the login page takes place.

    The Questions:
    Why doesn't the Mac and Linux machines respond in the same way as the Windows machines (can't belive I just asked that...)?

    I know that when the Mac and Linux machines obtain a ticket (via kinit) they are able to authenticated but this doesn't seem like a good solution
    at all as it requires effort from the user to provide credentials etc. where the tickets expires as well.

    So is there any way that we can get these machines to send back a NTLM header as the Windows machines does?
    Or if there are any other suggestions/ways please let me know.

    B.t.w. i did configure the FireFoxes that I used to test on the Mac and Linux machines ("network.negotiate-auth.delegation-uris" and "network.negotiate-auth.trusted-uris" was set to ".corpza.corp.co.za").
    Last edited by markus sukram; Dec 1st, 2010, 09:19 AM.

  • #2
    Did you get a fix for your issue?

    Comment

    Working...
    X