2

Background: I currently have a java web application which is run on localhost on my Mac. Users can login to the web application, and their credentials are validated against an OpenLDAP server which is run on a certain port on my local machine as well (specifically using this docker image). The web application includes code which interacts with the LDAP server to provide the login username and password. Upon successful validation, the users are logged in and can continue to use the features of the app.

Problem: This web application will be deployed to clients who will be using Windows. They are requesting SSO capabilities - I.e. successful login to their windows machines under their domain bypasses the need for logging in to the web application when they run it. The clients cannot have some other Java application running on their machine which will help with SSO - simply logging into their windows machine should bypass the need for logging into the web application, which means Windows needs to be configured a certain way, and the web application needs to be configured a certain way for SSO. For testing purposes, I am using a windows 7 virtual machine which is run on the same machine that I am running and testing the web application on.

I've done research on SPNEGO, Java GSS API (looks like it needs client side code to communicate with server), Kerberos, Windows IIS etc. I know how to enable windows integrated authentication in Windows, but I don't know how to actually use this with my web application to enable SSO. Basically, I am still struggling on how to implement SSO capabilities in my specific case under these circumstances. Here are some specific questions:

  1. Can browsers be configured to send encrypted windows credentials of the machine they are running on to the web application, which can then be decrypted by the web application and authenticated against LDAP? If so, how does this work?
  2. Can the windows login credentials be configured to point to an LDAP server that validates them?
  3. Overall, how can I integrate single sign on for a web application running on a windows machine, where the web application is configured to authenticate credentials through an LDAP server?
Improve this question

1 Answer 1

Reset to default
8

Windows SSO is based on Kerberos, not on LDAP. The reason why people usually mix them up is that Microsoft Active Directory acts as both LDAP server and Kerberos server.

If you need transparent authentication (SSO) for your Windows users you have to implement Kerberos authentication.

They way how Kerberos is implemented for web applications is called SPNEGO.

You need to do the following:

  1. Create a service account in Active Directory for your server, say REALM\svc_server
  2. Create an SPN for your server which will bind the domain name of your server to this server account. If your server is running on https://server.acme.com it should be HTTP/server.acme.com
  3. If windows user is logged into domain REALM and goes to https://server.acme.com browser will lookup an SPN based on name HTTP/server.acme.com, request a Kerberos ticket from Active Directory and send it to server in a Authorization header as per SPNEGO specification
  4. Now you just need to validate this ticket using built-in Java Kerberos API or using some third-party library (kerb4j, spring-security-kerberos, e.t.c.)

As you can see LDAP is not involved in this authentication flow (although it can be used for authorization as a next step)

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Thanks, this cleared things up. I have a few more questions: In step 3, how does the browser know to look up the SPN and request a kerberos ticket? Does it need to be configured to do this? In step 4, how does the server receive the Kerberos ticket and what form does this ticket take? Is the server listening to incoming HTTP requests from the browser?
@BK201 3. For first request server should respond with 401 and WWW-Authenticate: Negotiate header - it will tell browser to do the Kerberos authentication. There are settings in browser to enable this functionality (server must be in "intranet" zone and integrated windows authentication should be enabled) but most likely it is already configured properly in corporate environments. 4. Ticket comes inside HTTP Authorization header. All you need is to validate it and extract username from it - use either builtin JRE functionality or one of 3rd-party libs. Hope it helps!
Hey Bedrin, are there any examples you can point to which use your kerb4j library to receive tickets coming inside of the HTTP authorization header from the browser? Thanks again for the assistance.
@BK201 what technology stack do you use? Servlets? Tomcat? Spring Security? Something else?
I would go with Jetty built-in support of Spnego: eclipse.org/jetty/documentation/current/spnego-support.html
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.