Tagged with single_sign-on - Visokio Forums http://forums.visokio.com/discussions/tagged/single_sign-on/feed.rss Mon, 30 Oct 17 15:01:15 -0400 Tagged with single_sign-on - Visokio Forums en-CA Security: SPNEGO Troubleshooting http://forums.visokio.com/discussion/2571/security-spnego-troubleshooting Tue, 27 May 2014 05:05:11 -0400 Veaceslav 2571@/discussions Mobile Web Server Authentication

SPNEGO Troubleshooting


  • Error Java Cryptography Extension (JCE) Unlimited Strength is not enabled.
    LDAP/Active Directory (AD) server may send tickets that have been encrypted using AES 256 bits (or larger) which is not enabled in Java (JRE) by default and therefore SPNEGO authentication may fail

    Java Cryptography Extension (JCE) Unlimited Strength includes two jar files that contain only configuration settings enabling unlimited strength cryptography algorithms in Java.

    To enable JCE unlimited strength download it from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

    The downloaded file contains three files

    • local_policy.jar
    • US_export_policy.jar
    • README.txt

    Read and follow the instructions outlined in the README.txt file.

    To install JCE unlimited strength, the client needs to put these two jars in
    - {OMNISCOPE LOCATION}\x86\lib\security
    - {OMNISCOPE LOCATION}\x64\lib\security
    while creating a backup for the existing (default) two files and restart the application

]]> Security: Single-Sign-On (SPNEGO) Configuration http://forums.visokio.com/discussion/2566/security-single-sign-on-spnego-configuration Fri, 23 May 2014 10:32:45 -0400 Veaceslav 2566@/discussions Mobile Web Server Authentication

Single-Sign-On (SPNEGO) Mechanism

SPNEGO (Single-Sign-On) mechanism allows users to authenticate automatically with their LDAP/Active Directory (AD) account without asking them for credentials. Having a proper setup, authorized users never type their credentials in any dialog or form. Unauthorized users, however, are either prompted for credentials or are denied server access.
  • Users are stored and managed by an LDAP/AD server
  • Omniscope Mobile server is configured to ask the LDAP/AD server to validate user tokens

Configuration

At least three machines are involved in a Single-Sign-On setup:

  1. LDAP/AD server (e.g. computer name ldapserver)
  2. A machine running Omniscope server (e.g. computer name omniscopeserver)
  3. A client machine having a browser installed (Chrome, Firefox, Internet Explorer, etc) (e.g. computer name browserA)

Note: Single-sign-on does not work when the client (browser) runs on the same machine as Omniscope server (or LDAP/AD)

  • The machines must be on the same intranet network,
  • on the same domain (e.g. example.com),
  • DNS properly setup such that they all can nslookup each other by name (e.g. nslookup omniscopeserver finds the machine running omniscope server)

  1. LDAP/AD machine - Windows Server OS (2003, 2008, 2012, etc)
    • Create a dedicated LDAP user on the domain, e.g. omniscopeuser@example.com with password YourPassword (choose a stronger password), make sure the password never expires
    • In command prompt execute:
      setspn -A HTTP/omniscopeserver.example.com omniscopeuser


      image
      where example.com is your network domain
      omniscopeserver is the name of the machine running Omniscope server
      omniscopeuser is user logon name of the dedicated LDAP user
      HTTP/omniscopeserver.example.com has never been mapped before with other user. If it has, you need to remove it first:
      setspn -D HTTP/omniscopeserver.example.com otheruser

    • In command prompt, execute the second command (make sure to use capital letters exactly as shown in the command):
      ktpass -princ HTTP/omniscopeserver.example.com@EXAMPLE.COM -pass YourPassword -mapuser omniscopeuser@EXAMPLE.COM -out omniscopeuser.HTTP.keytab -crypto RC4-HMAC-NT -kvno 0
      • where example.com is your network domain
      • HTTP/omniscopeserver.example.com - Kerberos service principal name for SPNEGO
      • omniscopeuser - the dedicated SPNEGO user that has been created on the LDAP server
      • YourPassword - password of the dedicated SPNEGO user
      • RC4-HMAC-NT - cryptosystem to use when sending SPNEGO tickets
      • kvno - Key version number

      image

    Obviously, LDAP/AD needs to have regular users defined, users that are about to use Omniscope at least. For the purpose of this tutorial we will consider that
    there is a user clientA@example.com with password ClientPassword

  2. Omniscope server machine

    • Start Omniscope server

      image

    • On Mobile Web Server service section click Config, scroll down to Default folder configuration and click Edit

      image

    • Edit SPNEGO global settings, for principal name type:
      HTTP/omniscopeserver.example.com
      and edit the password for that LDAP account ('YourPassword')

      image

      image

    • Click OK to close editing SPNEGO global settings
    • Either create a new group with new permissions, or edit an existing group

      image

    • Add a new authentication mechanism and choose SPNEGO mechanism

      image

    • Make sure you add all user names for the users that will be allowed to authenticate automatically (e.g. clientA, no domain needs to be included in the name)

      image

      image

    • Click OK to close each dialog and click Save and apply to save the configuration
    • Omniscope server does not need to be restarted manually

  3. Client Machine - The browser has to be configured to use Single-Sign-On and trust omniscopeserver machine

    • For Internet Explorer

      • Open Internet Options

        image
      • In Security tab select Local intranet and click Sites button - make sure all check boxes are selected:
        Automatically detect intranet network,

        image
        • Include all local intranet sites not listed in other zones,
        • Include all sites that bypass the proxy server,
        • Include all network paths


        Then click Advanced button and add the name of the omniscopeserver or the full name (with domain) as it is going to be used to access the omniscope server from the browser
        Note: The browser cannot use Single-Sign-On when accessing the omniscopeserver by IP instead of name, and the name has to be added to the zone

        image

      • Click Close then OK to close the Local intranet dialogs
      • Click Custom Level... button, scroll down to User Authentication and select Automatic logon with current user name and password then click OK to close the dialog

        image

      • In the Advanced tab of the Internet Options dialog scroll down to Security section and make sure Enable Integrated Windows Authentication option is selected. (It should be selected by default)

        image

      • Click OK to close Internet Options dialog
      • Restart Internet Explorer
      • Test it: open http://omniscopeserver you should be able to use omniscope server if you have the right permissions (group permissions that you set up on Omniscope server)

    • Google Chrome
      • Google’s Chrome browser shares the same configuration with Internet Explorer. Once the trusted URL is added in Internet Explorer, Chrome works with SPNEGO. Chrome does not have a configuration mechanism.

    • Mozilla Firefox
      • In the address bar type:
        about:config

        image

        and search for trusted. The required key is a comma separated parameter named network.negotiate-auth.trusted-uris - edit it to include 'omniscopeserver' as well
        image


]]> Security: Mobile Web Server Authentication using AD & LDAP+SSO http://forums.visokio.com/discussion/2564/security-mobile-web-server-authentication-using-ad-ldap-sso Fri, 23 May 2014 06:49:45 -0400 Veaceslav 2564@/discussions Mobile Web Server Authentication

Mobile Web Server Authentication


Mobile Server authentication has been redesigned to include LDAP/Active Directory (AD) authentication and Single-Sign-On (SPNEGO) mechanism while preserving the List Of Users (Omniscope Users) existing mechanism.

A realm defines a protection space. Realms allow the protected resources on the server to be partitioned into a set of protection spaces, each with its own authentication and authorization settings.

By default, all protected resources on the server are configured in the config.xml file. This is the (Home) realm. Specific folders may be manually configured to have their own set of permissions and authentication groups. For more information about folder permissions read this post.

Server permissions may be configured for anonymous users and for authentication groups.

A group may have a list of authentication mechanisms and server permissions.

For instance, the server may be configured to have a group named 'Data Analysts' with permissions to:
- List directory
- View in mobile
- Export view data
and authenticate users through LDAP Query and List Of Users.

image

Authentication mechanisms


List Of Users

List Of Users mechanism let's you define custom Omniscope users that are stored and managed by the Omniscope Mobile server. No third party servers/services are involved. Users are manually added/edited/removed by an administrator of the server.

A user name and a password has to be added for each individual user. Read this post for more information about List Of Users mechanism configuration.

LDAP Query

LDAP Query authentication mechanism let's you configure Omniscope Mobile server to query an LDAP server to validate user credentials.

  • Users are stored and managed by an LDAP/AD server
  • Omniscope Mobile server is configured to query the LDAP/AD server

To learn how to configure Omniscope server to use LDAP Query read this post.

SPNEGO (Single-Sign-On) Mechanism

SPNEGO (Single-Sign-On) mechanism allows users to authenticate automatically with their LDAP/AD account without asking them for credentials. Having a proper setup, authorized users never type their credentials in any dialog or form. Unauthorized users, however, are either prompted for credentials or are denied server access.

  • Users are stored and managed by an LDAP/AD server
  • LDAP/AD user password is never sent to Omniscope server
  • Omniscope Mobile server is configured to ask the LDAP/AD server to validate user tokens

How does SPNEGO work ?

The browser negotiates with the LDAP/AD server and gets a temporary ticket which is further used to generate temporary unique tokens that are included in every client/browser request sent to Omniscope Mobile server. The tokens contain no information about client user name, password, or any other sensitive data, they are simple strings that can be verified only by the LDAP/AD server. Whenever Omniscope Mobile receives requests having SPNEGO tokens, Omniscope Mobile asks the LDAP/AD for token validation and if the token is valid, LDAP/AD provides only the user name associated with that token. Omniscope server checks whether this user is authorized to be served the requested resource and proceeds accordingly.

To learn how to configure Omniscope server to use SPNEGO mechanism read this post.

Authentication Groups

A group may have multiple authentication mechanisms. Each mechanism will be used during authentication until the user authenticates successfully. If no group authorizes the action that has been requested by the user, the access will be denied.

You may want to temporarily disable groups instead of deleting them and then adding them back later when needed. Disabled groups are disregarded during authentication.

]]>