390 likes | 788 Views
TAM STE Series 2008 - WebSEAL SSO, Session 1. Presented by: Andrew Quap. Itinerary for WebSEAL single-signon (SSO). Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) CDSSO eCDSSO. SPNEGO. Generic Security Service Application Program Interface (GSS-API)
E N D
TAM STE Series 2008- WebSEAL SSO, Session 1 Presented by: Andrew Quap WebSEAL SSO, Session 1
Itinerary for WebSEAL single-signon (SSO) • Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) • CDSSO • eCDSSO WebSEAL SSO, Session 1
SPNEGO • Generic Security Service Application Program Interface (GSS-API) • “an application programming interface for programs to access security services. “-wikipedia • RFC 2478 • Describes a set of standard API’s • GSS-API can implement any security protocol • GSS-API implementation of Kerberos is best known WebSEAL SSO, Session 1
SPNEGO • Microsoft started to use SPNEGO in IE 5.01 and IIS 5.0 as an authentication extension – wikipedia • Requires the use of AD server acting as KDC • Nowadays Microsoft markets the use of NTLM instead of SPNEGO • Used to provide desktop single sign-on into IIS server • TAM WebSEAL SPNEGO allows users to SSO into WebSEAL WebSEAL SSO, Session 1
Kerberos basics • MIT Kerberos v5 • RFC 1510 • Kerberos tickets • Kerberos Realm • KDC (Key Distribution Center) • Server that issues Kerberos tickets • Typically listen on port 88 • For UNIX implementations “krb5.conf” contains Kerberos client configuration WebSEAL SSO, Session 1
Kerberos basics • keytab file • Allows a service (ie a server) to automatically authenticate into Kerberos realm • ‘kinit’ command • Command used to authenticate a user into a Kerberos realm • Input User/password • Or input keytab file WebSEAL SSO, Session 1
SPNEGO • SPNEGO uses GSS-API Kerberos implementation • WebSEAL and WebPI use the "HTTP Negotiate" extension defined by Microsoft. • Client Web Browser does HTTP request to WebSEAL. • WebSEAL returns HTTP 401 (Unauthorized) status and the following header: "WWW-Authenticate: Negotiate". • Client chooses a Service Principal Name for the host and calls InitializeSecurityContext() to generate a NegTokenInit token. WebSEAL SSO, Session 1
SPNEGO • Client resends the request with the following header: "Authorization: Negotiate <base64 encoding>" (e.g. Authorization: Negotiate YIIGUQY<remainder of base64 encoded string>). • WebSEAL decodes the NegTokenInit token. • WebSEAL verifies the encryption type and authenticates using gss_accept_sec_context. • The next step depends on what the gss_accept_sec_context function returns. WebSEAL SSO, Session 1
SPNEGO Flow • All Entities share a secret key with the 3rd party • Allows 3rd party to authenticate any known entity • 3rd party can encrypt data for any known entity WebSEAL SSO, Session 1
WebSEAL SPNEGO configuration and setup • AD server typically is configured as TAM registry • Can have separate LDAP server, but AD and LDAP server must be user synchronized • WebSEAL administration document, v6, on SPNEGO is very detailed. WebSEAL SSO, Session 1
WebSEAL SPNEGO configuration and setup • WebSEAL installed on Windows OS • ‘ktpass’ command creates Server Principal Names (SPN’s) in AD server • Setup WebSEAL service to authenticate as new SPN • The WebSEAL server must be configured as a client into the AD domain WebSEAL SSO, Session 1
WebSEAL SPNEGO configuration and setup • WebSEAL installed on UNIX setup • Requires keytab file generated from ‘ktpass’ command • Modify WebSEAL configuration file to include principal name and keytab file • Setup Kerberos client on WebSEAL machine WebSEAL SSO, Session 1
WebSEAL SPNEGO configuration and setup • Supports load balanced WebSEAL setup • WebSEAL admin guide details steps needed for basic setup, case does matter • Forward and reverse lookup must match on the WebSEAL machine for the load balanced hostname • WebSEAL on windows • The server instances must all be running under the same ID • WebSEAL on UNIX • The servers must all share the same keytab WebSEAL SSO, Session 1
WebSEAL SPNEGO problem determination • Invoke ‘bst’ trace or per-process trace • Determine if Kerberos error • Review Kerberos client config in ‘krb5.conf’ • UNIX • Ensure keytab file is valid • Use ‘kinit’ test • Windows • Ensure WebSEAL service authenticates as user created during ‘ktpass’ command WebSEAL SSO, Session 1
WebSEAL SPNEGO typical issues • TAM 6.0 provides SPNEGO problem determination guide • WebSEAL will not start • Invoke per-process tracing • Look for Kerberos error • Example of error WebSEAL SSO, Session 1
WebSEAL SPNEGO typical issues • WebSEAL starts but user SSO fails • Invoke ‘bst’ tracing • Invoke network trace from end user’s browser • Look for AD server response • Check ‘krb5.conf’ • Make sure AD domain is defined or default • If WebSEAL domain is different from AD domain make sure both domains are mapped • Ensure trusted site is entered in IE browser WebSEAL SSO, Session 1
WebSEAL SPNEGO typical issues • Multiple SPN’s mapped into WebSEAL AD account • Issue only occurs when WebSEAL is installed on UNIX • Must use ‘-mapOp set’ option for ktpass command. • When you use ‘–mapOp set’ which is required to create a keytab it removes the other SPN’s that existed on the account • One account per SPN when using Unix WebSEAL SSO, Session 1
WebSEAL SPNEGO limitations • Does not provide SSO into a IIS backend server • If SPNEGO fails, fallback using WebSEAL forms login requires IE fix • WebSEAL’s NTLM error page can be modified for ‘pkmslogin’ • Use E-community SSO to login user • WebSEAL cannot handle NTLM responses from IE • SPNEGO clients cannot log out WebSEAL SSO, Session 1
Kerberos Junctions • Not SSO to WebSEAL, but SSO from WebSEAL to IIS WebSEAL SSO, Session 1
SPNEGO questions WebSEAL SSO, Session 1
Cross Domain Single Signon (CDSSO) • “A mechanism to transfer a user credentials between servers in different domains-”WebSEAL administration guide • Uses an encrypted token to transfer an user identity • “token creation” creates and encrypts the token • “token consumption” decrypts the token • Can use CDSSO between TAM Web plug-in and WebSEAL WebSEAL SSO, Session 1
Cross Domain Single Sign-on (CDSSO) • Supports cross-domain mapping framework (CDMF) • Allows additional attributes to be encrypted in token in addition to user’s identity • Provides the ability to customized CDSSO using TAM C-api’s WebSEAL SSO, Session 1
CDSSO configuration and setup • Configuring CDSSO token create functionality • The following procedures are appropriate for the initial WebSEAL server • Enable WebSEAL to generate CDSSO tokens (cdsso-create). • Configure the built-in token creation module (sso-create). • Create the key file used to encode and decode the token. Copy the key file to all appropriate participating servers ([cdsso-peers] stanza). • Configure the token time stamp (authtoken-lifetime) • Configure the token label (cdsso-argument). • Create the CDSSO HTML link (/pkmscdsso?destination-URL). WebSEAL SSO, Session 1
CDSSO setup and configuration • Configuring CDSSO token consume functionality • The following procedures are appropriate for the destination WebSEAL server: • Enable WebSEAL to consume CDSSO tokens (cdsso-auth) for authentication. • Configure the built-in token consumption module (sso-consume). • Assign the appropriate key file ([cdsso-peers] stanza). • Configure the token time stamp (authtoken-lifetime) • Configure the token label (cdsso-argument). WebSEAL SSO, Session 1
CDSSO flow WebSEAL SSO, Session 1
CDSSO requirements • “All WebSEAL servers participating in CDSSO must have machine times synchronized.”-WebSEAL administration guide • “For CDSSO to function successfully, each participating WebSEAL server must reveal its fully qualified host name to the other participating servers in the cross-domain environment.”-WebSEAL administration guide WebSEAL SSO, Session 1
CDSSO requirements • “Do not reuse key pairs (used to encrypt and decrypt token data) generated for a specific CDSSO environment in any other CDSSO environments.” –WebSEAL administration guide WebSEAL SSO, Session 1
CDSSO problem determination • Determine if error occurs during “token creation” or “token consumption” • Enable specific CDSSO tracing pdweb.wan.cdsso • Enable ‘pdweb.snoop’ trace • Analyze ‘msg__WebSEALd-<instance name>.log’ • Is customer using default libraries WebSEAL SSO, Session 1
CDSSO typical issues • Time issues different timezones not setup correctly or skew • Mismatched keys • CDSSO peers incorrectly set up WebSEAL SSO, Session 1
CDSSO limitations • UTF-8 encoding for strings • Providing compatibility for tokens across WebSEAL versions WebSEAL SSO, Session 1
CDSSO questions WebSEAL SSO, Session 1
E-community Single Sign-on (ECSSO) • Concept is similar to CDSSO • Master authentication server (MAS) provides single point for authentication • WebSEAL and WebPI provides MAS functionality • Domain-specific cookies are used to identify the server that can provide "vouch for" services • The e-community implementation allows for "local" authentication in remote domains WebSEAL SSO, Session 1
eCDSSO flow WebSEAL SSO, Session 1
ECSSO setup and configuration • Enabling and Disabling e-Community Members • Including credential attributes in the vouch-for tokens • Specify the sso-create and sso-consume libraries WebSEAL SSO, Session 1
ECSSO problem determination • Determine if error occurs during “token creation” or “token consumption” • Enable ‘pdweb.snoop’ trace on servers involved • Analyze ‘msg__WebSEALd-<instance name>.log WebSEAL SSO, Session 1
ECSSO typical issues • Time issues different timezones not setup correctly or skew • Mismatched keys • ECDSSO domains incorrectly set up WebSEAL SSO, Session 1
ECSSO limitations • One server, or group, provides authentication for a group of servers • Each server can still do local authentication WebSEAL SSO, Session 1
eCDSSO questions WebSEAL SSO, Session 1