- Active Directory up and running under Microsoft Windows 2003
- Deployed JOSSO Gateway with default setup
- Deployed JOSSO Samples
On a Windows Server 2003 machine go to Control Panel -> Administrative Tools -> Domain (Controller) Security Policy -> Security Settings -> Local Policies -> Security Options -> "Network Access: LAN Manager Authentication Level" and check the "Send LM & NTLM response" option.
In case NTLM is to be leveraged as the authentication mechanism for Windows-based JOSSO-enabled application (e.g. ASP.Net), the "Integrated Windows Authentication" options must enabled.
In addition, depending on the specific server setup, protected URL may be required to be set as trusted.
Create a domain named my-domain and a user with administration privileges identified as Administrator with password secret .
Then create a group named role1 and associate to it a user named user1 with password user1pwd . Make sure that the directory entry for this user implements the InetOrgPerson Object Class.
The main issue with Active Directory is that it does not allow retrieving the user password value, therefore JOSSO cannot verify the supplied credentials during the authentication process. To overcome this limitation, JOSSO comes with two components which can authenticate users by performing a bind against the configured persistence mechanism using the credentials provided by the authenticating user. If the bind succeeds, the user is considered authenticated.
Therefore, the gateway credential store to be leveraged for authenticating users against Active Directory is the Ldap Bind Store .
To configure it, locate and edit the josso-gateway-ldap-stores.xml file, comment the default LDAP Identity Store configuration and add the following block :
Then, set the providerUrl attribute value with the specific hostname/IP pointing to the AD instance.
Set the securityPrincipal and securityCredential attribute values with the DN of the Active Directory administrator user and its password respectively.
Make sure to set the specific AD domain name in the usersCtxDN and rolesCtxDN attributes.
Do not change the id of this entry.
Finally, enable the AD storage configuration by adding the following directive to the josso-gateway-config.xml file:
Make sure to import one single identity store descriptor per security domain.
Add the following authentication scheme declaration to the josso-gateway-auth.xml file. Make sure to remove any other authentication scheme setup such as the basic authentication one.
In order to make JOSSO authenticate users using NTLM, include a reference to the previously declared authentication scheme from the authenticator declaration :
Add the following declaration to the josso-gateway-protocol.xml descriptor, use a valid AD user/password for preAuthUsername and preAuthPassword attributes :
Now this ntlm protocol handler component must be referenced from the protocol manager one declared in the josso-gateway-config.xml descriptor :
You need to configure the following system properties to the Gateway's VM to avoid NTLMv2 errors:
Log-in to a Windows workstation associated with the Active Directory domain using the previously created account (i.e. user1).
Open an Internet Explorer instance and access a JOSSO-protected resource URL.
You should be granted access to the protected resource transparently without any prompt for username and password.