Customers
User information
 Loading ...
Show article in Knowledge Base

 Configuring SSO with AD and Kerberos Export knowledge base Export     SubscribeSubscribe      Show article info

For SSO with Kerberos the following components needs to be setup and configured in your infrastructure: 

 

  • Domain name - you need a domain name to use such as DOMAIN.COM
  • KDC address - KDC.DOMAIN.COM this is the server name of the KDC server
  • Tomcat server address - TOMCAT.DOMAIN.COM the domain, with subdomain, for your VisionFlow server 
  • Domain user to authenticate tomcat service - VISIONFLOWUSER/VISIONFLOWPASSWORD 
  • Client domain user CLIENTUSER, i.e. the user to test login with 
  • User in  VisionFlow with correct username including domain, such as myUserId@mydomain.com

 

For general information about SSO with Kerberos, also see the KB article here or this article with the system requirements.

 

1. Test SSO and infrastructure

 

First of all, before you continue to configure SSO in VisionFlow, you should check that everything on works well and is configured correctly in your AD and infrastructure.

 

To do this we have a simple java application that checks the connection to KDC. Follow the steps below to run the test application:

1.1) AD configuration

Make sure that domain user VISIONFLOWUSER has the following settings in the Active Directory

  1. "Password never expires".
  2. MemeberOf: Domain users;

1.2) Tomcat server configuration

  1. Install JDK
  2. Add JAVA_HOME\bin to the classpath. Open cmd and excute command 
    javac -version
    to be sure java is in classpath
  3. Download files HelloKDC.jar, krb5.conflogin.config. Save the files into dir DIR
  4. Edit krb5.conf:
    DOMAIN.COM - your domain (DOMAIN.COM)
    kdc.domain.com - adress of the KDC server (KDC.DOMAIN.COM)
  5. Execute in cmd:
    java -cp HelloKDC.jar HelloKDC VISIONFLOWUSER VISIONFLOWPASSWORD krb5.conf_location login.config_location
    VISIONFLOWUSER - your user authenticating tomcat (VISIONFLOWUSER)
    VISIONFLOWPASSWORD - password of the user (VISIONFLOWPASSWORD)
    krb5.conf_location - location of the krb5.conf file
    login.config_location - location of the login.config file
  6. Result must finishing with message
    Connection test successful.
    If the test was not successful, take a look at the Troubleshooting HelloKDC.java page otherwise continue configuration.

 

 

2. Configure VisionFlow server for SSO (in Tomcat)

 

To enable SSO, a component called SPNGO is used. To set this up correctly, the following steps needs to be performed on your servers:

2.1) AD configuration

  1. Make sure that user CLIENTUSER is allowed to authenticate through Kerberos.
    • Find the user in AD and set: Enryptionoptions -> other encryption options -> This account support Kerberos 256 bit encryption"
  2. Make sure that the user exist in the VisionFlow user database, with the correct name
  3. Registering an SPN
    execute as admin
    setspn -A HTTP/TOMCAT.DOMAIN.COM VISIONFLOWUSER
    and do the same for all other DNS entries that point to your tomcat server
    You can list spn name for the user VISIONFLOWUSER the fillowing command
    setspn -L VISIONFLOWUSER

2.2) Tomcat server configuration

  1. You need to install Java Cryptography Extension (JCE), you can download and install it from here:
    Download JCE http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
  2. Configure kerberos in VisionFlow
    Copy files krb5.properties, login.properties to TOMCAT_HOME\webapps\WEB-INF\classes, improve the krb5.properties with your data (Test connection -> Tomcat server configuration)  
    add/uncomment the following lines in the TOMCAT_HOME\webapps\WEB-INF\classes\visionproject.properties
    #Kerberos authentication
    kerberos.authentication.enabled=true
    spnego.allow.basic=false
    spnego.allow.localhost=false
    spnego.allow.unsecure.basic=true
    spnego.login.client.module=spnego-client
    spnego.krb5.conf=PATH_TO_krb5.properties
    spnego.login.conf=PATH_TO_login.properties
    spnego.preauth.username=VISIONFLOWUSER
    spnego.preauth.password=VISIONFLOWPASSWORD 
    spnego.login.server.module=spnego-server
    spnego.prompt.ntlm=false
    spnego.allow.delegation=true
    spnego.logger.level=1
    And restart tomcat
  3. Configuring the client
    The client must be configured to use Kerberos authentication. For Internet Explorer this means that you have to make sure that the Tomcat instance is in the “Local intranet” security domain and that it is configured (Tools > Internet Options > Advanced) with integrated Windows authentication enabled. Note that this will not work if you use the same machine for the client and the Tomcat instance as Internet Explorer will use the unsupported NTLM protocol.

 

3. Configuring keytab

 

If you don't want to save VISIONFLOWUSER/VISIONFLOWPASSWORD in the visionproject.properties file (for security reasons), it is possible to create keytab file to authenticate tomcat automatically. 

 

A keytab file must then be generated on the AD server, you need to execute the following command by Administrator:


ktpass /out PATH_TO_KEYTAB /mapuser VISIONFLOWUSER@DOMAIN.COM /pass VISIONFLOWPASSWORD  /princ HTTP/TOMCAT.DOMAIN.COM@DOMAIN.COM /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL 

 

These values need to be improved according to your settings: 

  • PATH_TO_KEYTAB - path where the keytab file will be saved, for example C:\temp.vp.keytab
  • VISIONFLOWUSER@DOMAIN.COMVISIONFLOWUSER - user that authenticates tomcat, DOMAIN.COM  - domain name (in upper case)
  • VISIONFLOWPASSWORD   - password for the user VISIONFLOWUSER
  • HTTP/TOMCAT.DOMAIN.COM@DOMAIN.COM : TOMCAT.DOMAIN.COM - tomcat server domain name, DOMAIN.COM  - domain name (in upper case)
  • AES256-SHA1 - specifies encryption type, must be same as default_tkt_enctypes and default_tgs_enctypes from krb5.conf (you can use /crypto all to support all algorithms)
  • KRB5_NT_PRINCIPAL - specifies the principal type, usually don't need to be changed;

 

You can also read more about ktpass is here 

 

When the vp.keytab is created move it to tomcat server and change then change kbr5.properties:

[libdefaults]
default_realm = DOMAIN.COM
default_keytab_name = FILE:PATH_TO_KEYTAB_FILE
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4_hmac_nt aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4_hmac_nt aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
forwardable=true

 

[realms]
DOMAIN.COM = {
kdc = KDC.DOMAIN.COM 
default_domain = DOMAIN.COM 
}

 

[domain_realm]
.DOMAIN.COM = DOMAIN.COM

 

PATH_TO_KEYTAB_FILE must be full path to the created keytab file, and also you need to edit login.properties:

 

spnego-client {
com.sun.security.auth.module.Krb5LoginModule required;
};

spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
principal="HTTP/TOMCAT.DOMAIN.COM@DOMAIN.COM"
keyTab="PATH_TO_KEYTAB_FILE";
};

 

HTTP/TOMCAT.DOMAIN.COM@DOMAIN.COM is the same value that was specified in the ktpass command for parameter /princ. PATH_TO_KEYTAB_FILE must be full path to the created ketab file.  

 

Then you can clear the following settings in the visionpropject.properties file:
spnego.preauth.username=
spnego.preauth.password=

 

Then you need to restart tomcat to apply the changes;

 

 

http://spnego.sourceforge.net/spnego_tomcat.html

https://blogs.msdn.microsoft.com/friis/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iisie/

  

 

Common problems and questions

 

I you have problem logging in with your user (CLIENTUSER), follow and try the following things:

 

  • Make sure your VisionFlow server is running on port 80, not 8080. 
  • Are you using Internet Explorer as web browser?
  • Are you trying to log into VisionFlow on the same machine as the VisionFlow server is running?
    • This will not work, please try to log into the system from another PC in the same domain. 
  • Is integrated authentication enabled in Internet Explorer?
  • Does IE use the expected SPN?
  • Does the URL used resolve to a security zone for which credentials can be sent?
  • Does the user you are trying to log in with exist in VisionFlow?
    • All users needs to exist in the user database.
    • Normally users are automatically imported regularly via the LDAP/AD importer.
  • Make sure you use a domain name to access your VisionFlow server. Kerberos does not work well with IP (it requires additional configuration)!
  • Are your client and VisionFlow server in the same domain?

User comments
 Loading ...