SPNEGO Authentication

This section explains how to setup Ceptor for using SPNEGO authentication between browsers and the Dispatcher.

Configuration

You will need to add the authentication plugin “dk.itp.security.authentication.spnego.SpnegoAuthenticationPlugin” to the session controller configuration in portalprotect-configuration.xml, e.g.

<property name="server.authenticationplugins" value="dk.itp.portalprotect.useradmin.server.UAAuthenticationPlugin,dk.itp.security.passticket.server.FileLogin,dk.itp.security.authentication.x509useradm.SSLCertificatePlugin,dk.itp.security.authentication.x509useradm.X509CertificatePlugin,dk.itp.security.authentication.eticket.plugins.ETicketAuthenticationPlugin,dk.itp.portalprotect.wss.WSSAuthenticationPlugin,dk.itp.security.authentication.ntlm.NTLMAuthenticationPlugin,dk.itp.security.authentication.spnego.SpnegoAuthenticationPlugin" description="The list of authentication plugins (classes) to load"/>

If ntlmEnabled is set to true for the dispatcher, and if the plugin dk.itp.security.authentication.ntlm.NTLMAuthenticationPlugin is loaded by the session controller, then fallback to NTLM is enabled if the browser does not support SPNEGO. In reality this only occurs if something is wrong with the configuration, e.g. the AD server is not setup correctly with the hostname the user accesses, or if the browser is not set up to allow usage of SPNEGO authentication.

This is a sample showing the rest of the parameters needed for the SPNEGO authentication plugin, these must be defined for the session controller.

<property name="spnego.krb5.conf" value="${portalprotect.home}/config/spnego/krb5.conf" />
<property name="spnego.login.conf" value="${portalprotect.home}/config/spnego/login.conf"/>
<property name="spnego.login.server.module" value="spnego-server"/>
<property name="spnego.preauth.password" value="password"/>
<property name="spnego.preauth.username" value="ppserver@ITPTEST.DK" />
<property name="spnego.ad.servers" value="testserver.itptest.dk:389"/>
<property name="spnego.ad.basedn" value="DC=itptest,DC=dk"/>
<property name="spnego.ad.systemuser" value="Administrator@ITPTEST.DK"/>
<property name="spnego.ad.systempassword" value="password"/>
<property name="spnego.ad.usersRDN" value="CN=Users"/>
<property name="spnego.ad.useridName" value="userPrincipalName"/>		
<property name="spnego.ad.userattributes" value="cn,userPrincipalName,memberOf,logonCount,lastLogon"/>

You will also need to configure the dispatcher and set sslRequired=true either for the entire dispatcher or for specific alternate servers for it to require authentication.

This is an example of the contents of the files krb5.conf and login.conf:

login.conf
spnego-server {
	com.sun.security.auth.module.Krb5LoginModule required
	storeKey=true
	isInitiator=false;
};

krb5.conf
[libdefaults]
   default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
   default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
   permitted_enctypes   = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

[realms]
   ITPTEST.DK  = {
      kdc = testserver.itptest.dk 
      default_domain = ITPTEST.DK
   }

[domain_realm]
   .ITPTEST.DK = ITPTEST.DK

You will need to replace all instances of ITPTEST.DK with your own domain name, and testserver.itptest.dk with the hostname of your Active Directory Server.

Note that it is possible to bypass the use of preauthentication and instead create and use a keytab file – refer to the Java GSS documentation for how to do this, and for how to configure krb5.conf to point to a keytab file. This enables you to avoid having the userid/password for the preauth stored in the configuration.

Steps Needed on Active Directory Server

On the Active Directory Server (Windows 2003 is tested and verified), you will need to create a new user for the domain, in the configuration example above, this user is called ppserver but it could be anything – remember you need the fully qualified domain name of the preauth user in the configuration – userid@domain.name but you do not need to add the PortalProtect Server to the domain when using preauthentication – only the workstations need to be in the domain.

Once the user is created, you need to associate it with the hostnames of the webservers you access from the clients, note that it is very important to add all variations, e.g. myapplication.itptest.dk and myapplication both need to be added.

To add it, you should download setspn.exe from the Windows Support Tools from Microsoft, and then run the following command on the Active Directory Server.

setspn.exe -A HTTP/myapplication.itptest.dk ppserver
setspn.exe -A HTTP/myapplication ppserver

This will take care of associating the host name with the userid, and will in turn allow the SPNEGO authentication plugin to negotiate with the browser.

Note that it is VERY important to keep the case, HTTP needs to be capitalized or it will not work.

© Ceptor ApS. All Rights Reserved.