Re: Seamless/transparent SSO with Apache, Win2003, IE
[EMAIL PROTECTED] wrote: Fred Dennis wrote: I'm trying to create a seamless sign on to a web site using Solaris (Kerberos installed), Apache (mod_auth_kerb installed), MS Active directory, and IE client. I was doing some Google searches the other day for a similar project and found a commercial alternative that looks appealing. It looks like they have an agent for Solaris 8/9/10 that sets up the Kerberos environment for you fairly painlessly. Then there's some config work on the server. The doc they posted here seems pretty straightforward. I talked to one of their sales people and the appealing part was that there are no end-user licensing fees, you just license the server-based agent. If it works as advertised it looks like I'd burn a lot more client fees trying to build (and test; that's eating up the time) something homegrown than just using this. I keep running across posts like yours with various issues and I'm beginning to think this is the way to go. I found it here: http://www.centrify.com/resources/apache.asp. Setting up mod_kerb_auth should be no more problematic than that. The biggest problem is actually building it and testing it, but it can be done once. Of course, if a problem should crop up, you're on your own. Nix. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos and IE Single Sign-on
Luciano Bolonheis wrote: Hi, i'm trying to make a Single sign-on environment... and I have all the possible problems... using the mod_auth_kerb with apache in internet explorer, it authenticate but asks for the password. I get a ticket with the Kfw Leash32 application, and even with valid ticket is asks for the password. Someone know what can I do? You should find out if IE is actually using the Kerberos ticket. I recall some obscure option in IE config for that. For instance, in Outlook Express, that option is SPA (Secure Password Authentication). If you machine is in ADS, it will try GSS-API, otherwise, it will go for NTLM. I think IE has a similarly cryptic option name. Nix. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Active Directory -- Java web app
Richard Gundersen wrote: Hi I have written a Java web application which has a basic password login screen. This works fine, but I would now like to allow users into my system if they have previously authenticated against Active Directory. I.E. if they can provide a valid kerberos ticket, I'll let them straight through. NB I do not maintain the instance of Active Directory; it actually belongs to another organisation. Could anyone suggest a good way for me to do this. I guess I need to address the following: 1) How will AD pass it's ticket to my system? 2) How will I verify the ticket? (GSS-API?) 3) I know MS have done some dodgy things to their tickets (non-standard flags). Do I need to worry about them for this reason? First of all, what you need is that web server knows of authentication method SPNEGO (Security Protocol: NEGOtiate), which is, well, sort of a standard. It allows broser and server to use GSS-API and pass Kerberos tickets in a real Kerberos fashion. Tomcat knows nothing of this and I doubt any other Java Servlet/JSP container out there knows it either. So, you're stuck with either Apache+mod_krb_auth/mod_spnego or IIS to run as front end web servers and pass auth info to your Java Web Application. Note also that there are alternatives, that cut-in and pass kerberos tickets inside cookies, but they require a separate software installation and are not a part of any standard. This doesn't mean they are not working or not working well. Just that SPNEGO is an accepted standard, supported by Mozilla and IE, requiring no additional install on the clients, while those others are an add-on. Nix. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Active Directory -- Java web app
Richard Gundersen wrote: Hi I have written a Java web application which has a basic password login screen. This works fine, but I would now like to allow users into my system if they have previously authenticated against Active Directory. I.E. if they can provide a valid kerberos ticket, I'll let them straight through. NB I do not maintain the instance of Active Directory; it actually belongs to another organisation. Could anyone suggest a good way for me to do this. I guess I need to address the following: 1) How will AD pass it's ticket to my system? 2) How will I verify the ticket? (GSS-API?) 3) I know MS have done some dodgy things to their tickets (non-standard flags). Do I need to worry about them for this reason? Oh, and just a side-note - one could sit down and WRITE a SPNEGO authenticator, just noone has done it, yet. Nix. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Active Directory -- Java web app
Richard Gundersen wrote: Hi Nikola Thanks for your quick and detailed reply. While it would be great if Tomcat could interpret SPNEGO, I don't mind setting up Apache to sit in front of Tomcat (in fact I was going to do this anyway for speeding up the static content). Most people advocate against it or at least do not advocate for it. The rationalle being that Tomcat is fast enough these days. My rationalle is that I yet have to see a pure TC web site. With Apache you have tons of options, although, employing some of them might take the life of you - I have recently had a misfortune of making a TC application which was connected to Apache via WARP (mod_webapp, if you remember), with no option to change it. Anyway, given enough room to work in, you can happily run othe peoples PHP, make your own rewrites, etc. and keep TC in it's place. The way mod_jk (or mod_jk2) can be configured, you can do really seamless integration. In my oppinion, the trouble of connecting the two is worth it. I have a small webapp on our public server, backed by PostgreSQL DB and it is running more than a year now, no glitch. How would Apache send the details to Tomcat once it's happy with the ticket it's received? Would it be in the form of simple request params? I guess so. I also guess it's time for me to RTFM on mod_krb_auth/mod_spnego :-) When you connect TC to Apache via mod_jk, you can set an attribute in server.xml which tells TC to trust authentication information it gets from Apache. So, if the user manages to authenticate as, say, [EMAIL PROTECTED], Apache will pass that information to TC, via mod_jk. So, you can set in your web.xml the protection for certain URLs, just as you would with local TC users. It should work, regardless of which authentication mechanism Apache uses. This also means, you have to setup Apache properly, to do the job. The upside, there are no n-layers where authentication *can* occur, only one. Nix. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos ticket access to MS Exchange
Rodney M Dyer wrote: At 12:41 PM 7/29/2005, Nebergall, Christopher wrote: Are there ANY mail client programs besides MS Outlook on any OS which support kerberos ticket authentication to Microsoft exchange? How about IMAP kerberized client in general? I'm using Cyrus IMAP 2.2.10 on Tru64 UNIX and it lives in a MS ADS envirnoment. Will both MS Outlook Express and MS Outlook 2003/XP work as GSSAPI clients? I thought I heard that Mulberry from Cyrusoft was also Kerberized. Of course, it is not free. (sigh) I wish Mozilla had GSSAPI. Nix. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos Authentication via Apache
Luis Daniel Lucio Quiroz wrote: MOD_KRB5 or whatever you are using just auth agains krb db without ticket support. Read documentation. Instead of that you could use mod_auth_ntlm, it works in a single-sign-on mode. mod_auth_krb5 can use BOTH clinet (accept HTTP-Auth BASIC and run like a kinit would) and server modes (act as a server with a keytab). Nix. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Is Kerberos a good solution for web-single signon
Christopher Kranz wrote: [EMAIL PROTECTED] (paul b) wrote in message news:[EMAIL PROTECTED]... Hello, I am currently developping a web single signon-system and I am thinking about using Kerberos for this propose [snip] Perhaps someone can tell me if Kerberos is really a good solution for web-single signon(and fully transparent to end-users) or if there are more simple possiblities like for example installing a reverse proxy? I was wondering the same thing. In fact I started a simular thread a little while ago. The short answer is no, not really. And the reason is, HTTP is a stateless protocol. You would need to generate a new authenticator for each and every connection. Kerberos kind of assumes that once a session is started the connection is persistant. There are two ways to go about this. The simplest is to let Apache act as a Kerberos client, accepting USER/PASS via HTTP/Basic authentication method. This is actually very bad for two reasons. Firstly, it uses HTTP/Basic authentication method between browser and web server. This method is unencrypted and without SSL (HTTPS), it will defeat one of the basic intentions of Kerberos - encrypted authentication. A much better way is to implement HTTP/SPNego authentication method. In that model, browser is a Kerberos client (with user's principal) and Apache or IIS is a Kerberos server (with server's principal), both authenticating against some Kerberos KDC (MIT KDC, MS ADS, Heimdal,...). For this you need both server and browser to be Kerberos aware. Apache has mod_negotiate, IIS on Win2k/2k3 should be ready, since it is on MS ADS. Of the browsers, IE 6 should be OK, also Mozilla 1.5/1.6 Nix. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Thread-safe libraries
Sam Hartman wrote: Lukas == Lukas Kubin [EMAIL PROTECTED] writes: Lukas Is there any progress in the ability of Kerberos libraries Lukas on Linux to be used by threads-enabled applications? I'm Lukas still having troubles using sasl kerberos authentication to Lukas ldap server on Linux (Debian). It always fails when Lukas parallel connection appears. Is there any solution for Lukas this now? Thank you. I believe someone has written a patch to the SASL library to use mutexes around GSSAPI calls. MIT is working on thread safety for our libraries but has not released any code yet. Some time ago, I had the same worry. Apparently, the only thread-safe Kerberos libraries around are from Tim Aslop's company (he replied on this list), Cybersafe, I think. It is also worth noting, that, while Heimdal is not thread safe (at least there are no guarantees), it has proven to be much more thread-robust than MIT. OpenLDAP page and a couple of users have expirienced problems with MIT and threaded OpenLDAP server, while Heimdal performed flawlessly. It could be that Heimdal IS thread-safe, just nobody knows for sure. :-) Nix. P.S. Cyrus SASL 2.1.17 recognizes MIT, Heimdal, Cybersafe and SEAM (Sun) Kerberos implementations. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Does kadmind work on a multi-realm KDC?
We've had experience supporting multi realms on a single server. Here is what you want to do: 1.) Start one instance of kadmind for each realm that you want to administrate. Use the -r switch on the commandline to specify the realm that will be managed, ie: kadmind -r SOME.REALM 2.) Use the following two directives in the realm stanza in the kdc.conf file to specify the ports that the administrative deamon will listen on for RPC administrative traffic and password changes: kadmind_port = NNN kpasswd_port = NNN Is there a plan and possibility in kadmin protocol to support multiple realms on one port (one kadmind)? I have a situation where I would have 14 relams. Fortunately, I'll have 10 Alpha Servers, but still, I'd need something elegant and scalable. The current solution both in Heimdal and MIT is lacking on that. You will want to choose port numbers in the restricted, ie. 1024, range. That range is a bit crammed... Nix. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
MIT Kerberos: is it Thread-Safe?
Hi all. As the subject says, is MIT Kerberos thread-safe and if it is, which version? OpenLDAP FAQ warns that MIT Kerberos libraries are not thread safe and that one should either use --no-threads when building it or build with Heimdal implementation. Now, I have gotten quite used to MIT Kerberos, have built several packages linked with it. It would be a drag to switch to Heimdal now. Nix. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Multiple realms
Am I reading the docs correctly? The man page of krb5kdc states that there can be only one realm per TCP/UDP port. Am I reading it right? Nix. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: HP-UX Secure Shell and Kerberos 5
Marc wrote: Hello, I am currently making a HP-UX 11i authenticate itself to a Windows 2000 KDC using HP-UX Secure Shell which is the following version (output from swlist): Sorry for being slightly off the topic, but your e-mail doesn't work. Could someone give me pointers to docs regarding Kerberos on Win2K? I know it is a part of Win2k, but how to configure it, how to administer it? I have a working Krb5 on Tru64 UNIX, I'd like to make them work together. Nix. Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
