SSO with JBoss, Active Directory, Kerberos and SPNEGO
(30 Jun 2010)
- tagged as
dev
this article is an ammendment to the jboss negotiation project documentation and a jboss community thread. the reason for this article, is that at times i felt that the documentation was ambigiuos and on occasion also lacking some important information. so here's my take on it, which made SSO work for me...after copious hours of elbow grease i might add.
•As an example, you may want to access an SSO enabled jboss server as follows: http://jbossserver.six.com. For the purpose of the documentation to come, 'jbossserver' is referring to the machine name, 'six' is referring to the domain and 'six.com' is referring to the realm.
•Download the “JBoss Negotiation Project” (JBossNegotiation - 2.0.3.GA)
•Unpack and copy jboss-negotiation-2.0.3.GA.jar to: ${JBOSS_HOME}/server/${server_config}/lib
•Add an entry to ${JBOSS_HOME}/server/${server_config}/deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml.
Within this descriptor you should see a set of authenticators defined using a property called "authenticators". Add the following entry:
b) Password never expires (true/checked)
c) Use DES encryption types for this account (false/unchecked)
d) Do not require Kerberos preauthentication (true/checked) Note: It is very important to remember that this account should under no circumstances be used as a regular user account. Activities such as logging into the domain on any given Windows machine as jbossuser should not be done. •The jbossuser Active Directory user account needs to be mapped to a host account using the setspn.exe and ktpass.exe command line utilities included in the Windows 2003/2008 Support Tools. These commands need to be executed by a domain administrator, preferably on the machine on which the jbossuser user account was created on. It is important to notice the capital casing of the realm, but only after the ‘@’ sign.
- props/spnego-users.properties
- props/spnego-roles.properties “props” is meant to be a directory within ${JBOSS_HOME}/server/${server_config}/conf. spnego-users.properties is to remain empty, but spnego-roles.properties needs to include each of the user=role mappings required to access the application, e.g.:
- select the 'Security' tab
- ensure that 'Local intranet' is highlighted and click the 'Sites' command button.
- enter the URL of the server hosting the JBoss installation (e.g. http://jbossserver.six.com) and click on 'Add'. After restarting Internet Explorer, it should be sufficient for Internet Explorer to trust the JBoss installation and to perform the SPNEGO negotiation. Feel free to get in touch if you need more info.
this article is an ammendment to the jboss negotiation project documentation and a jboss community thread. the reason for this article, is that at times i felt that the documentation was ambigiuos and on occasion also lacking some important information. so here's my take on it, which made SSO work for me...after copious hours of elbow grease i might add.
•As an example, you may want to access an SSO enabled jboss server as follows: http://jbossserver.six.com. For the purpose of the documentation to come, 'jbossserver' is referring to the machine name, 'six' is referring to the domain and 'six.com' is referring to the realm.
•Download the “JBoss Negotiation Project” (JBossNegotiation - 2.0.3.GA)
•Unpack and copy jboss-negotiation-2.0.3.GA.jar to: ${JBOSS_HOME}/server/${server_config}/lib
•Add an entry to ${JBOSS_HOME}/server/${server_config}/deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml.
Within this descriptor you should see a set of authenticators defined using a property called "authenticators". Add the following entry:
<entry> <key>SPNEGO</key> <value>org.jboss.security.negotiation.NegotiationAuthenticator</value> </entry>•In order for JBoss to identify itself against a specific realm and kdc (e.g. kdserver.six.com), include the following as system properties within {jboss.home}/server/${server_config}/deploy/properties-service.xml:
<attribute name="Properties">
java.security.krb5.kdc=kdcserver.six.com
java.security.krb5.realm=SIX.COM
</attribute>
•Create an Active Directory user account e.g. jbossuser with a suitable password. Note: Do not create a user with the same name as the JBoss machine/server name (jbossserver). When creating the user, use the following properties:
a) User cannot change password (true/checked)b) Password never expires (true/checked)
c) Use DES encryption types for this account (false/unchecked)
d) Do not require Kerberos preauthentication (true/checked) Note: It is very important to remember that this account should under no circumstances be used as a regular user account. Activities such as logging into the domain on any given Windows machine as jbossuser should not be done. •The jbossuser Active Directory user account needs to be mapped to a host account using the setspn.exe and ktpass.exe command line utilities included in the Windows 2003/2008 Support Tools. These commands need to be executed by a domain administrator, preferably on the machine on which the jbossuser user account was created on. It is important to notice the capital casing of the realm, but only after the ‘@’ sign.
setspn.exe -a HTTP/jbossserver.six.com@SIX.COM jbossuserThe following command can be used to list, thus confirm, the successful mapping of principal name to user account.
setspn.exe -l jbossuser•The Windows Server ktpass.exe command line utility takes the jbossuser user and maps it as a trusted host, in this case you would need to execute the following command:
ktpass -princ HTTP/jbossserver.six.com@SIX.COM -pass * -mapuser SIX\jbossuser –out•The ktab.exe (Kerberos key table manager) Java SDK Development utility is then used to export the keytab that will be used by the application server using the following command. It is strongly advised to use the same java version as used by the JBoss application server.
c:\jbossuser.http.keytab
ktab -k c:\jbossuser.http.keytab -a jbossuser@SIX.COM•The application server requires a security domain that it can use to first authenticate against the KDC. In order to configure this, a keytab will be required for the principal that represents the application server. Below is an example host security domain to be added to ${JBOSS_HOME}/server/${server_config}/conf/login-config.xml. Remember to adjust the location path of the keyTab:
<application-policy name="host">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="principal">HTTP/jbossserver.six.com@SIX.COM</module-option>
<module-option name="keyTab">/usr/local/jbossuser.http.keytab</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option name="debug">true</module-option>
</login-module>
</authentication>
</application-policy>
•The application also requires it's own security domain to be defined with a login module to work in connection with the NegotiationAuthenticator.
For starters, the configuration requires two property files:- props/spnego-users.properties
- props/spnego-roles.properties “props” is meant to be a directory within ${JBOSS_HOME}/server/${server_config}/conf. spnego-users.properties is to remain empty, but spnego-roles.properties needs to include each of the user=role mappings required to access the application, e.g.:
jdoe@SIX.COM=Users•Add the below to the ${JBOSS_HOME}/server/${server_config}/conf/login-config.xml:
<application-policy name="SPNEGO">
<authentication>
<login-module
code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule"
flag="requisite">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="serverSecurityDomain">host</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="usersProperties">props/spnego-users.properties</module-option>
<module-option name="rolesProperties">props/spnego-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
•By default Internet Explorer only performs SPNEGO authentication against sites in the 'Local intranet' zone.
- open the 'Internet Options' from the 'Tools' menu- select the 'Security' tab
- ensure that 'Local intranet' is highlighted and click the 'Sites' command button.
- enter the URL of the server hosting the JBoss installation (e.g. http://jbossserver.six.com) and click on 'Add'. After restarting Internet Explorer, it should be sufficient for Internet Explorer to trust the JBoss installation and to perform the SPNEGO negotiation. Feel free to get in touch if you need more info.
Loading...