Presentation is loading. Please wait.

Presentation is loading. Please wait.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

Published byNoah Preston Sims Modified over 9 years ago

Similar presentations

Presentation on theme: "TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap."— Presentation transcript:

1 TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap

2 © 2008 IBM Corporation 2 WebSEAL SSO, Session 1 Itinerary for WebSEAL single-signon (SSO)  Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)  CDSSO  eCDSSO

3 © 2008 IBM Corporation 3 WebSEAL SSO, Session 1 SPNEGO  Generic Security Service Application Program Interface (GSS-API) –“an application programming interface for programs to access security services. “-wikipedia –RFC 2478 –Describes a set of standard API’s  GSS-API can implement any security protocol –GSS-API implementation of Kerberos is best known

4 © 2008 IBM Corporation 4 WebSEAL SSO, Session 1 SPNEGO  Microsoft started to use SPNEGO in IE 5.01 and IIS 5.0 as an authentication extension – wikipedia –Requires the use of AD server acting as KDC –Nowadays Microsoft markets the use of NTLM instead of SPNEGO –Used to provide desktop single sign-on into IIS server  TAM WebSEAL SPNEGO allows users to SSO into WebSEAL

5 © 2008 IBM Corporation 5 WebSEAL SSO, Session 1 Kerberos basics  MIT Kerberos v5  RFC 1510 –Kerberos tickets –Kerberos Realm –KDC (Key Distribution Center) Server that issues Kerberos tickets Typically listen on port 88  For UNIX implementations “krb5.conf” contains Kerberos client configuration

6 © 2008 IBM Corporation 6 WebSEAL SSO, Session 1 Kerberos basics  keytab file –Allows a service (ie a server) to automatically authenticate into Kerberos realm  ‘kinit’ command –Command used to authenticate a user into a Kerberos realm Input User/password Or input keytab file

7 © 2008 IBM Corporation 7 WebSEAL SSO, Session 1 SPNEGO  SPNEGO uses GSS-API Kerberos implementation  WebSEAL and WebPI use the "HTTP Negotiate" extension defined by Microsoft.  Client Web Browser does HTTP request to WebSEAL.  WebSEAL returns HTTP 401 (Unauthorized) status and the following header: "WWW-Authenticate: Negotiate".  Client chooses a Service Principal Name for the host and calls InitializeSecurityContext() to generate a NegTokenInit token.

8 © 2008 IBM Corporation 8 WebSEAL SSO, Session 1 SPNEGO  Client resends the request with the following header: "Authorization: Negotiate " (e.g. Authorization: Negotiate YIIGUQY ).  WebSEAL decodes the NegTokenInit token.  WebSEAL verifies the encryption type and authenticates using gss_accept_sec_context.  The next step depends on what the gss_accept_sec_context function returns.

9 © 2008 IBM Corporation 9 WebSEAL SSO, Session 1 SPNEGO Flow  All Entities share a secret key with the 3rd party –Allows 3rd party to authenticate any known entity –3rd party can encrypt data for any known entity

10 © 2008 IBM Corporation 10 WebSEAL SSO, Session 1 WebSEAL SPNEGO configuration and setup  AD server typically is configured as TAM registry –Can have separate LDAP server, but AD and LDAP server must be user synchronized  WebSEAL administration document, v6, on SPNEGO is very detailed.

11 © 2008 IBM Corporation 11 WebSEAL SSO, Session 1 WebSEAL SPNEGO configuration and setup  WebSEAL installed on Windows OS –‘ktpass’ command creates Server Principal Names (SPN’s) in AD server –Setup WebSEAL service to authenticate as new SPN –The WebSEAL server must be configured as a client into the AD domain

12 © 2008 IBM Corporation 12 WebSEAL SSO, Session 1 WebSEAL SPNEGO configuration and setup  WebSEAL installed on UNIX setup –Requires keytab file generated from ‘ktpass’ command –Modify WebSEAL configuration file to include principal name and keytab file –Setup Kerberos client on WebSEAL machine

13 © 2008 IBM Corporation 13 WebSEAL SSO, Session 1 WebSEAL SPNEGO configuration and setup  Supports load balanced WebSEAL setup –WebSEAL admin guide details steps needed for basic setup, case does matter –Forward and reverse lookup must match on the WebSEAL machine for the load balanced hostname –WebSEAL on windows The server instances must all be running under the same ID –WebSEAL on UNIX The servers must all share the same keytab

14 © 2008 IBM Corporation 14 WebSEAL SSO, Session 1 WebSEAL SPNEGO problem determination  Invoke ‘bst’ trace or per-process trace  Determine if Kerberos error –Review Kerberos client config in ‘krb5.conf’  UNIX –Ensure keytab file is valid Use ‘kinit’ test  Windows –Ensure WebSEAL service authenticates as user created during ‘ktpass’ command

15 © 2008 IBM Corporation 15 WebSEAL SSO, Session 1 WebSEAL SPNEGO typical issues  TAM 6.0 provides SPNEGO problem determination guide  WebSEAL will not start –Invoke per-process tracing Look for Kerberos error –Example of error

16 © 2008 IBM Corporation 16 WebSEAL SSO, Session 1 WebSEAL SPNEGO typical issues  WebSEAL starts but user SSO fails –Invoke ‘bst’ tracing –Invoke network trace from end user’s browser Look for AD server response –Check ‘krb5.conf’ Make sure AD domain is defined or default If WebSEAL domain is different from AD domain make sure both domains are mapped –Ensure trusted site is entered in IE browser

17 © 2008 IBM Corporation 17 WebSEAL SSO, Session 1 WebSEAL SPNEGO typical issues  Multiple SPN’s mapped into WebSEAL AD account –Issue only occurs when WebSEAL is installed on UNIX –Must use ‘-mapOp set’ option for ktpass command. –When you use ‘–mapOp set’ which is required to create a keytab it removes the other SPN’s that existed on the account –One account per SPN when using Unix

18 © 2008 IBM Corporation 18 WebSEAL SSO, Session 1 WebSEAL SPNEGO limitations  Does not provide SSO into a IIS backend server  If SPNEGO fails, fallback using WebSEAL forms login requires IE fix –WebSEAL’s NTLM error page can be modified for ‘pkmslogin’ –Use E-community SSO to login user  WebSEAL cannot handle NTLM responses from IE  SPNEGO clients cannot log out

19 © 2008 IBM Corporation 19 WebSEAL SSO, Session 1 Kerberos Junctions  Not SSO to WebSEAL, but SSO from WebSEAL to IIS

20 © 2008 IBM Corporation 20 WebSEAL SSO, Session 1 SPNEGO questions

21 © 2008 IBM Corporation 21 WebSEAL SSO, Session 1 Cross Domain Single Signon (CDSSO)  “A mechanism to transfer a user credentials between servers in different domains-”WebSEAL administration guide  Uses an encrypted token to transfer an user identity –“token creation” creates and encrypts the token –“token consumption” decrypts the token  Can use CDSSO between TAM Web plug-in and WebSEAL

22 © 2008 IBM Corporation 22 WebSEAL SSO, Session 1 Cross Domain Single Sign-on (CDSSO)  Supports cross-domain mapping framework (CDMF) –Allows additional attributes to be encrypted in token in addition to user’s identity –Provides the ability to customized CDSSO using TAM C- api’s

23 © 2008 IBM Corporation 23 WebSEAL SSO, Session 1 CDSSO configuration and setup  Configuring CDSSO token create functionality –The following procedures are appropriate for the initial WebSEAL server Enable WebSEAL to generate CDSSO tokens (cdsso- create). Configure the built-in token creation module (sso-create). Create the key file used to encode and decode the token. Copy the key file to all appropriate participating servers ([cdsso-peers] stanza). Configure the token time stamp (authtoken-lifetime) Configure the token label (cdsso-argument). Create the CDSSO HTML link (/pkmscdsso?destination- URL).

24 © 2008 IBM Corporation 24 WebSEAL SSO, Session 1 CDSSO setup and configuration  Configuring CDSSO token consume functionality –The following procedures are appropriate for the destination WebSEAL server: Enable WebSEAL to consume CDSSO tokens (cdsso-auth) for authentication. Configure the built-in token consumption module (sso- consume). Assign the appropriate key file ([cdsso-peers] stanza). Configure the token time stamp (authtoken-lifetime) Configure the token label (cdsso-argument).

25 © 2008 IBM Corporation 25 WebSEAL SSO, Session 1 CDSSO flow

26 © 2008 IBM Corporation 26 WebSEAL SSO, Session 1 CDSSO requirements  “All WebSEAL servers participating in CDSSO must have machine times synchronized.”- WebSEAL administration guide  “For CDSSO to function successfully, each participating WebSEAL server must reveal its fully qualified host name to the other participating servers in the cross-domain environment.”- WebSEAL administration guide

27 © 2008 IBM Corporation 27 WebSEAL SSO, Session 1 CDSSO requirements  “Do not reuse key pairs (used to encrypt and decrypt token data) generated for a specific CDSSO environment in any other CDSSO environments.” –WebSEAL administration guide

28 © 2008 IBM Corporation 28 WebSEAL SSO, Session 1 CDSSO problem determination  Determine if error occurs during “token creation” or “token consumption”  Enable specific CDSSO tracing pdweb.wan.cdsso  Enable ‘pdweb.snoop’ trace  Analyze ‘msg__WebSEALd-.log’  Is customer using default libraries

29 © 2008 IBM Corporation 29 WebSEAL SSO, Session 1 CDSSO typical issues  Time issues different timezones not setup correctly or skew  Mismatched keys  CDSSO peers incorrectly set up

30 © 2008 IBM Corporation 30 WebSEAL SSO, Session 1 CDSSO limitations  UTF-8 encoding for strings  Providing compatibility for tokens across WebSEAL versions

31 © 2008 IBM Corporation 31 WebSEAL SSO, Session 1 CDSSO questions

32 © 2008 IBM Corporation 32 WebSEAL SSO, Session 1 E-community Single Sign-on (ECSSO)  Concept is similar to CDSSO  Master authentication server (MAS) provides single point for authentication –WebSEAL and WebPI provides MAS functionality  Domain-specific cookies are used to identify the server that can provide "vouch for" services  The e-community implementation allows for "local" authentication in remote domains

33 © 2008 IBM Corporation 33 WebSEAL SSO, Session 1 eCDSSO flow

34 © 2008 IBM Corporation 34 WebSEAL SSO, Session 1 ECSSO setup and configuration  Enabling and Disabling e-Community Members  Including credential attributes in the vouch-for tokens  Specify the sso-create and sso-consume libraries

35 © 2008 IBM Corporation 35 WebSEAL SSO, Session 1 ECSSO problem determination  Determine if error occurs during “token creation” or “token consumption”  Enable ‘pdweb.snoop’ trace on servers involved  Analyze ‘msg__WebSEALd-.log

36 © 2008 IBM Corporation 36 WebSEAL SSO, Session 1 ECSSO typical issues  Time issues different timezones not setup correctly or skew  Mismatched keys  ECDSSO domains incorrectly set up

37 © 2008 IBM Corporation 37 WebSEAL SSO, Session 1 ECSSO limitations  One server, or group, provides authentication for a group of servers –Each server can still do local authentication

38 © 2008 IBM Corporation 38 WebSEAL SSO, Session 1 eCDSSO questions

Download ppt "TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap."

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
14.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Understanding Active Directory

Understanding Active Directory
Senior Technical Writer

Senior Technical Writer
MongoDB Sharding and its Threats

MongoDB Sharding and its Threats
SAGE Computing Services Consulting and customised training workshops Active Directory Integration AD, WLS & ADF in Harmony (a case study) Ray Tindall Senior.

SAGE Computing Services Consulting and customised training workshops Active Directory Integration AD, WLS & ADF in Harmony (a case study) Ray Tindall Senior.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Authentication June 24/2003. Overview Terminology Local Passwords Early Password Services Kerberos Basics Tickets Ticket Acquisition Kerberos Authentication.

Authentication June 24/2003. Overview Terminology Local Passwords Early Password Services Kerberos Basics Tickets Ticket Acquisition Kerberos Authentication.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Smart Card Single Sign On with Access Gateway Enterprise Edition

Smart Card Single Sign On with Access Gateway Enterprise Edition
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Similar presentations

Ads by Google