Added by Gianluca Brigandi, last edited by Sebastian Gonzalez Oyuela on Sep 23, 2010  (view change)

Labels:

1 1 Delete
version version Delete
Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.

Prerequisites

  • Active Directory up and running under Microsoft Windows 2003
  • Deployed JOSSO Gateway with default setup
  • Deployed JOSSO Samples

Active Directory setup

Update Security Settings for allowing NTLM authentication

On a Windows Server 2003 machine go to Control Panel -> Administrative Tools -> Domain (Controller) Security Policy -> Security Settings -> Local Policies -> Security Options -> "Network Access: LAN Manager Authentication Level" and check the "Send LM & NTLM response" option.

Supported levels
  • Send LM & NTLM response
  • Send LM & NTLM -use NTLMv2 session security if negotiated
  • Send NTLM response only
  • Send NTLMv2 response only
IIS settings

In case NTLM is to be leveraged as the authentication mechanism for Windows-based JOSSO-enabled application (e.g. ASP.Net), the "Integrated Windows Authentication" options must enabled.
In addition, depending on the specific server setup, protected URL may be required to be set as trusted.

Test Account and Group configuration

Create a domain named my-domain and a user with administration privileges identified as Administrator with password secret .

Then create a group named role1 and associate to it a user named user1 with password user1pwd . Make sure that the directory entry for this user implements the InetOrgPerson Object Class.

JOSSO Gateway setup

Enable retrieving user and entitlement information from Active Directory

The main issue with Active Directory is that it does not allow retrieving the user password value, therefore JOSSO cannot verify the supplied credentials during the authentication process. To overcome this limitation, JOSSO comes with two components which can authenticate users by performing a bind against the configured persistence mechanism using the credentials provided by the authenticating user. If the bind succeeds, the user is considered authenticated.

Therefore, the gateway credential store to be leveraged for authenticating users against Active Directory is the Ldap Bind Store .

To configure it, locate and edit the josso-gateway-ldap-stores.xml file, comment the default LDAP Identity Store configuration and add the following block :

<ldap-istore:ldap-bind-store
            id="josso-identity-store"
	    initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"
	    providerUrl="ldap://127.0.0.1:389"
	    securityPrincipal="cn=Administrator,cn=USERS,dc=my-domain"
	    securityCredential="secret"
	    securityAuthentication="simple"
	    ldapSearchScope="SUBTREE"
	    usersCtxDN="CN=Users,dc=my-Domain"
	    principalUidAttributeID="sAMAccountName"
	    uidAttributeID="member"
	    rolesCtxDN="CN=Users,dc=my-domain"
	    roleAttributeID="sAMAccountName"
	    updateableCredentialAttribute="userPassword"
	    userPropertiesQueryString="mail=mail,cn=description"
            />

Then, set the providerUrl attribute value with the specific hostname/IP pointing to the AD instance.
Set the securityPrincipal and securityCredential attribute values with the DN of the Active Directory administrator user and its password respectively.
Make sure to set the specific AD domain name in the usersCtxDN and rolesCtxDN attributes.

Do not change the id of this entry.

Finally, enable the AD storage configuration by adding the following directive to the josso-gateway-config.xml file:

<s:import resource="josso-gateway-ldap-stores.xml" />

Make sure to import one single identity store descriptor per security domain.

Enabling Windows Authentication against Active Directory

Add the following authentication scheme declaration to the josso-gateway-auth.xml file. Make sure to remove any other authentication scheme setup such as the basic authentication one.

<ntlm-authscheme:ntlm-auth-scheme id="josso-ntlm-authentication">

        <credentialStore>
            <s:ref bean="josso-identity-store"/>
        </credentialStore>

        <credentialStoreKeyAdapter>
            <s:ref bean="josso-simple-key-adapter"/>
        </credentialStoreKeyAdapter>
</ntlm-authscheme:ntlm-auth-scheme>

In order to make JOSSO authenticate users using NTLM, include a reference to the previously declared authentication scheme from the authenticator declaration :

<def-auth:authenticator id="josso-authenticator">
        <schemes>
			...
            <s:ref bean="josso-ntlm-authentication"/>
        </schemes>
</def-auth:authenticator>
NTLM Protocol support

Add the following declaration to the josso-gateway-protocol.xml descriptor, use a valid AD user/password for preAuthUsername and preAuthPassword attributes : 

<ntlm:ntlm-protocol-handler
      id="josso-ntlm-protocol"
      defaultDomain="my-domain"
      domainController="127.xxx.xxx.xxx"
      loadBalance="false"
      enableBasic="false"
      insecureBasic="false"
      preAuthUsername="<preAuthUser>"
      preAuthPassword="<preAuthPassword>"
      realm=""
/>

Now this ntlm protocol handler component must be referenced from the protocol manager one declared in the josso-gateway-config.xml descriptor :

<default-protocol-manager id="josso-protocol-manager">
        <handlers>
            <s:ref bean="josso-ntlm-protocol"/>
        </handlers>
</default-protocol-manager>
VM Settings

You need to configure the following system properties to the Gateway's VM to avoid NTLMv2 errors:

jcifs.smb.lmCompatibility=0
jcifs.smb.client.useExtendedSecurity=false

Testing Windows Authentication

Log-in to a Windows workstation associated with the Active Directory domain using the previously created account (i.e. user1).
Open an Internet Explorer instance and access a JOSSO-protected resource URL.
You should be granted access to the protected resource transparently without any prompt for username and password.