TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

Slides:



Advertisements
Similar presentations
Suchin Rengan Principal Technical Architect Salesforce.com
Advertisements

Enabling Secure Internet Access with ISA Server
AUTHENTICATION AND KEY DISTRIBUTION
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Understanding Active Directory
Senior Technical Writer
MongoDB Sharding and its Threats
SAGE Computing Services Consulting and customised training workshops Active Directory Integration AD, WLS & ADF in Harmony (a case study) Ray Tindall Senior.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Authentication June 24/2003. Overview Terminology Local Passwords Early Password Services Kerberos Basics Tickets Ticket Acquisition Kerberos Authentication.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Smart Card Single Sign On with Access Gateway Enterprise Edition
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.
Working with Workgroups and Domains
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Single Sign-on with Kerberos 1 Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
SEC400 UNIX & Kerberos Interop to Achieve Identity Management
Module 11: Securing a Microsoft ASP.NET Web Application.
Module 2: Overview of IIS 7.0 Application Server.
Module 3: Configuring File Access and Printers on Windows 7 Clients
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Integrating and Troubleshooting Citrix Access Gateway.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Active Directory Administration Tasks And Tools Active Directory Administration Tasks Active Directory Administrative Tools Using Microsoft Management.
Introduction to Active Directory
Doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Advanced Authentication Campus-Booster ID: Copyright © SUPINFO. All rights reserved Kerberos.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
Active Directory and NT Kerberos. Introduction to NT Kerberos v5 What is NT Kerberos? How is it different from NTLM NT Kerberos vs MIT Kerberos Delegation.
KERBEROS, SQL AND YOU Adam W. Saxton Microsoft - SQL
Kerberos Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
1 Example security systems n Kerberos n Secure shell.
What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.
ArcGIS for Server Security: Advanced
Alain Bethuyne Web Security Architect BNPParibas Fortis
Federation made simple
Chapter 5 : Designing Windows Server-Level Security Processes
Radius, LDAP, Radius used in Authenticating Users
IBM Certified WAS 8.5 Administrator
File Transfer Olivia Irving and Cameron Foss
Dynamic DNS support for EGI Federated cloud
Presentation transcript:

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap

© 2008 IBM Corporation 2 WebSEAL SSO, Session 1 Itinerary for WebSEAL single-signon (SSO)  Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)  CDSSO  eCDSSO

© 2008 IBM Corporation 3 WebSEAL SSO, Session 1 SPNEGO  Generic Security Service Application Program Interface (GSS-API) –“an application programming interface for programs to access security services. “-wikipedia –RFC 2478 –Describes a set of standard API’s  GSS-API can implement any security protocol –GSS-API implementation of Kerberos is best known

© 2008 IBM Corporation 4 WebSEAL SSO, Session 1 SPNEGO  Microsoft started to use SPNEGO in IE 5.01 and IIS 5.0 as an authentication extension – wikipedia –Requires the use of AD server acting as KDC –Nowadays Microsoft markets the use of NTLM instead of SPNEGO –Used to provide desktop single sign-on into IIS server  TAM WebSEAL SPNEGO allows users to SSO into WebSEAL

© 2008 IBM Corporation 5 WebSEAL SSO, Session 1 Kerberos basics  MIT Kerberos v5  RFC 1510 –Kerberos tickets –Kerberos Realm –KDC (Key Distribution Center) Server that issues Kerberos tickets Typically listen on port 88  For UNIX implementations “krb5.conf” contains Kerberos client configuration

© 2008 IBM Corporation 6 WebSEAL SSO, Session 1 Kerberos basics  keytab file –Allows a service (ie a server) to automatically authenticate into Kerberos realm  ‘kinit’ command –Command used to authenticate a user into a Kerberos realm Input User/password Or input keytab file

© 2008 IBM Corporation 7 WebSEAL SSO, Session 1 SPNEGO  SPNEGO uses GSS-API Kerberos implementation  WebSEAL and WebPI use the "HTTP Negotiate" extension defined by Microsoft.  Client Web Browser does HTTP request to WebSEAL.  WebSEAL returns HTTP 401 (Unauthorized) status and the following header: "WWW-Authenticate: Negotiate".  Client chooses a Service Principal Name for the host and calls InitializeSecurityContext() to generate a NegTokenInit token.

© 2008 IBM Corporation 8 WebSEAL SSO, Session 1 SPNEGO  Client resends the request with the following header: "Authorization: Negotiate " (e.g. Authorization: Negotiate YIIGUQY ).  WebSEAL decodes the NegTokenInit token.  WebSEAL verifies the encryption type and authenticates using gss_accept_sec_context.  The next step depends on what the gss_accept_sec_context function returns.

© 2008 IBM Corporation 9 WebSEAL SSO, Session 1 SPNEGO Flow  All Entities share a secret key with the 3rd party –Allows 3rd party to authenticate any known entity –3rd party can encrypt data for any known entity

© 2008 IBM Corporation 10 WebSEAL SSO, Session 1 WebSEAL SPNEGO configuration and setup  AD server typically is configured as TAM registry –Can have separate LDAP server, but AD and LDAP server must be user synchronized  WebSEAL administration document, v6, on SPNEGO is very detailed.

© 2008 IBM Corporation 11 WebSEAL SSO, Session 1 WebSEAL SPNEGO configuration and setup  WebSEAL installed on Windows OS –‘ktpass’ command creates Server Principal Names (SPN’s) in AD server –Setup WebSEAL service to authenticate as new SPN –The WebSEAL server must be configured as a client into the AD domain

© 2008 IBM Corporation 12 WebSEAL SSO, Session 1 WebSEAL SPNEGO configuration and setup  WebSEAL installed on UNIX setup –Requires keytab file generated from ‘ktpass’ command –Modify WebSEAL configuration file to include principal name and keytab file –Setup Kerberos client on WebSEAL machine

© 2008 IBM Corporation 13 WebSEAL SSO, Session 1 WebSEAL SPNEGO configuration and setup  Supports load balanced WebSEAL setup –WebSEAL admin guide details steps needed for basic setup, case does matter –Forward and reverse lookup must match on the WebSEAL machine for the load balanced hostname –WebSEAL on windows The server instances must all be running under the same ID –WebSEAL on UNIX The servers must all share the same keytab

© 2008 IBM Corporation 14 WebSEAL SSO, Session 1 WebSEAL SPNEGO problem determination  Invoke ‘bst’ trace or per-process trace  Determine if Kerberos error –Review Kerberos client config in ‘krb5.conf’  UNIX –Ensure keytab file is valid Use ‘kinit’ test  Windows –Ensure WebSEAL service authenticates as user created during ‘ktpass’ command

© 2008 IBM Corporation 15 WebSEAL SSO, Session 1 WebSEAL SPNEGO typical issues  TAM 6.0 provides SPNEGO problem determination guide  WebSEAL will not start –Invoke per-process tracing Look for Kerberos error –Example of error

© 2008 IBM Corporation 16 WebSEAL SSO, Session 1 WebSEAL SPNEGO typical issues  WebSEAL starts but user SSO fails –Invoke ‘bst’ tracing –Invoke network trace from end user’s browser Look for AD server response –Check ‘krb5.conf’ Make sure AD domain is defined or default If WebSEAL domain is different from AD domain make sure both domains are mapped –Ensure trusted site is entered in IE browser

© 2008 IBM Corporation 17 WebSEAL SSO, Session 1 WebSEAL SPNEGO typical issues  Multiple SPN’s mapped into WebSEAL AD account –Issue only occurs when WebSEAL is installed on UNIX –Must use ‘-mapOp set’ option for ktpass command. –When you use ‘–mapOp set’ which is required to create a keytab it removes the other SPN’s that existed on the account –One account per SPN when using Unix

© 2008 IBM Corporation 18 WebSEAL SSO, Session 1 WebSEAL SPNEGO limitations  Does not provide SSO into a IIS backend server  If SPNEGO fails, fallback using WebSEAL forms login requires IE fix –WebSEAL’s NTLM error page can be modified for ‘pkmslogin’ –Use E-community SSO to login user  WebSEAL cannot handle NTLM responses from IE  SPNEGO clients cannot log out

© 2008 IBM Corporation 19 WebSEAL SSO, Session 1 Kerberos Junctions  Not SSO to WebSEAL, but SSO from WebSEAL to IIS

© 2008 IBM Corporation 20 WebSEAL SSO, Session 1 SPNEGO questions

© 2008 IBM Corporation 21 WebSEAL SSO, Session 1 Cross Domain Single Signon (CDSSO)  “A mechanism to transfer a user credentials between servers in different domains-”WebSEAL administration guide  Uses an encrypted token to transfer an user identity –“token creation” creates and encrypts the token –“token consumption” decrypts the token  Can use CDSSO between TAM Web plug-in and WebSEAL

© 2008 IBM Corporation 22 WebSEAL SSO, Session 1 Cross Domain Single Sign-on (CDSSO)  Supports cross-domain mapping framework (CDMF) –Allows additional attributes to be encrypted in token in addition to user’s identity –Provides the ability to customized CDSSO using TAM C- api’s

© 2008 IBM Corporation 23 WebSEAL SSO, Session 1 CDSSO configuration and setup  Configuring CDSSO token create functionality –The following procedures are appropriate for the initial WebSEAL server Enable WebSEAL to generate CDSSO tokens (cdsso- create). Configure the built-in token creation module (sso-create). Create the key file used to encode and decode the token. Copy the key file to all appropriate participating servers ([cdsso-peers] stanza). Configure the token time stamp (authtoken-lifetime) Configure the token label (cdsso-argument). Create the CDSSO HTML link (/pkmscdsso?destination- URL).

© 2008 IBM Corporation 24 WebSEAL SSO, Session 1 CDSSO setup and configuration  Configuring CDSSO token consume functionality –The following procedures are appropriate for the destination WebSEAL server: Enable WebSEAL to consume CDSSO tokens (cdsso-auth) for authentication. Configure the built-in token consumption module (sso- consume). Assign the appropriate key file ([cdsso-peers] stanza). Configure the token time stamp (authtoken-lifetime) Configure the token label (cdsso-argument).

© 2008 IBM Corporation 25 WebSEAL SSO, Session 1 CDSSO flow

© 2008 IBM Corporation 26 WebSEAL SSO, Session 1 CDSSO requirements  “All WebSEAL servers participating in CDSSO must have machine times synchronized.”- WebSEAL administration guide  “For CDSSO to function successfully, each participating WebSEAL server must reveal its fully qualified host name to the other participating servers in the cross-domain environment.”- WebSEAL administration guide

© 2008 IBM Corporation 27 WebSEAL SSO, Session 1 CDSSO requirements  “Do not reuse key pairs (used to encrypt and decrypt token data) generated for a specific CDSSO environment in any other CDSSO environments.” –WebSEAL administration guide

© 2008 IBM Corporation 28 WebSEAL SSO, Session 1 CDSSO problem determination  Determine if error occurs during “token creation” or “token consumption”  Enable specific CDSSO tracing pdweb.wan.cdsso  Enable ‘pdweb.snoop’ trace  Analyze ‘msg__WebSEALd-.log’  Is customer using default libraries

© 2008 IBM Corporation 29 WebSEAL SSO, Session 1 CDSSO typical issues  Time issues different timezones not setup correctly or skew  Mismatched keys  CDSSO peers incorrectly set up

© 2008 IBM Corporation 30 WebSEAL SSO, Session 1 CDSSO limitations  UTF-8 encoding for strings  Providing compatibility for tokens across WebSEAL versions

© 2008 IBM Corporation 31 WebSEAL SSO, Session 1 CDSSO questions

© 2008 IBM Corporation 32 WebSEAL SSO, Session 1 E-community Single Sign-on (ECSSO)  Concept is similar to CDSSO  Master authentication server (MAS) provides single point for authentication –WebSEAL and WebPI provides MAS functionality  Domain-specific cookies are used to identify the server that can provide "vouch for" services  The e-community implementation allows for "local" authentication in remote domains

© 2008 IBM Corporation 33 WebSEAL SSO, Session 1 eCDSSO flow

© 2008 IBM Corporation 34 WebSEAL SSO, Session 1 ECSSO setup and configuration  Enabling and Disabling e-Community Members  Including credential attributes in the vouch-for tokens  Specify the sso-create and sso-consume libraries

© 2008 IBM Corporation 35 WebSEAL SSO, Session 1 ECSSO problem determination  Determine if error occurs during “token creation” or “token consumption”  Enable ‘pdweb.snoop’ trace on servers involved  Analyze ‘msg__WebSEALd-.log

© 2008 IBM Corporation 36 WebSEAL SSO, Session 1 ECSSO typical issues  Time issues different timezones not setup correctly or skew  Mismatched keys  ECDSSO domains incorrectly set up

© 2008 IBM Corporation 37 WebSEAL SSO, Session 1 ECSSO limitations  One server, or group, provides authentication for a group of servers –Each server can still do local authentication

© 2008 IBM Corporation 38 WebSEAL SSO, Session 1 eCDSSO questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.