Integrated Windows Authentication (SPNEGO) for Web Applications on JBoss EAP 6.1

Posted: July 7th, 2013 | Author: | Filed under: Technology | Tags: , , | 16 Comments »

Client (Web Browser) Configuration

The browser is the final component which will need to be configured to support integrated authentication. This configuration is necessary since browsers require the specification of a trust relationship to the application server before initiating the negotiation process as mentioned previously. The steps required are unique to each browser and several of the most popular browsers will be covered.

Internet Explorer
Internet Explorer will only perform SPNEGO authentication against sites which are configured in the Local Intranet zone. The following steps will depict how to add a site to this configuration.

The security configuration for the various security zones are found in the Internet Options panel. If you are using Windows Vista or Windows 7, Click Start and type in Intranet Options. Otherwise, this console can be accessed from within Internet Explorer by clicking on Tools and then Internet Options.

Click on the Security tab

browser_ie_security_tab

Click on Local Intranet and then Sites

browser_ie_sites_popup

Click on Advanced

Enter the fully qualified domain name of the application server in the text field and click Add

browser_sites_add

Click OK through the various windows and restart Internet Explorer if it was open to apply the settings.

Firefox
Many of the basic Firefox options are accessible through the Options/Preferences console. However, as many power users are aware, there is a section of Firefox which allows for the configuration of the browser internals. To access this section, launch Firefox and enter about:config in the location bar. Click the “I’ll be careful, I promise” button to access the configurations.

On the search bar, type in “network.negotiate”. This will filter the list of available options and leave only a few present. Locate and double click the “network.negotiate-auth.trusted-uris” option.

firefox_aboutconfig_network

Enter the URL of the site and click OK

firefox_aboutconfig_url

Multiple sites can be entered by separating them with a comma. You may need to restart your browser for the changes to take effect.

With the JBoss server, web application and web browser properly configured, Integrated Windows Authentication is fully configured.


16 Comments on “Integrated Windows Authentication (SPNEGO) for Web Applications on JBoss EAP 6.1”

  1. 1 Joey said at 9:53 am on July 8th, 2013:

    Good stuff man. I will have to give it a shot. Could be very useful for me 🙂

  2. 2 Alex said at 2:10 am on September 20th, 2013:

    Thanks a lot for that great tutorial. It’s the best and most comprehensive I’ve ever seen.

    Nevertheless I’ve been fallen (in my environment) into some traps and I want to share some hints:
    – the service user AND the calling user have to be flagged “AES256 for Kerberos enabled”; otherwise I’ve got a GSSException: “Checksum failed”; (maybe they only have to have the same encryptions enabled/disabled)
    – the SPN assigned to the service user is not allowed to be assigned to ANY other user
    – there may be a global Kerberos configuration (C:\Windows\krb5.ini) on the machine running the JBoss; check that for correct values
    – “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy” has to be installed on the server for AES256 support

    Some corrections:
    – the code of the login module is “UsersRoles” and not “UserRoles” (page 3)
    – the code of the login module is “SPNEGOUsers” and not “SPNEGO” (page 3)

    Maybe an interesting scenario to use SPNEGO for users logged into the domain, authenticate users not logged into the domain (e.g. working with a local account) using username/password against AD but load roles from AD in both cases:

    Thank you!

  3. 3 sabre1041 said at 10:31 pm on September 23rd, 2013:

    Alex,

    Thanks for the sharing some of your experiences with SPNEGO in your environment. I’m sure others implementing in a more secure environment will find the information very useful.

    In addition, good catch pointing out the error with the UsersRoles login module. I have gone in and made the appropriate corrections to the post.

    The SPNEGO login module can be represented as either SPNEGOUsers or just plain old SPNEGO. The EAP 6.1 Security Guide has examples of both implementations.

    Certainly an interesting scenario you poised. You may be able to accomplish this by chaining login modules and tweaking their configuration types. Very interested to hear if you are able to accomplish this.

    – Andy

  4. 4 Chris said at 10:53 am on October 14th, 2013:

    Big thanks! Managed to get it to work without major hiccups.

    Is it possible to make this work without using roles? That is, any user that is authenticated in Active Directory would be able to log in without requiring extra configuration in the roles.properties.

  5. 5 sabre1041 said at 12:15 pm on October 27th, 2013:

    Chris, you can use the AdvancedLdapLoginModule. See the following link for more information on how to configure it with SPNEGO:

    https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Negotiation_User_Guide/ch02s04s02.html

    Example Configuration:
    https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Negotiation_User_Guide/apas02.html#AdvLDAP_on_AD

  6. 6 Elton said at 1:49 pm on March 7th, 2014:

    I currently have CAS configured with JBOSS 5 and need to move over to JBOSS 7. I already have keytab files and SPNs generated.
    I have 2 configurations. 1. Username and password is the same (default) 2. SPENGO authentication to Active Directory. The new CAS zip file needs to be build with Ant or Maven. I did not see mention of that in your post. is there something I am missing?

  7. 7 John said at 1:22 pm on March 17th, 2014:

    Many, many thanks for this. I managed to get IWA working with our app without to many problems thanks to your very clear blog.

    I wondered if you knew of any way that an application could be configured to use SPNEGO/IWA if available and to fall back to a form based authentication if not?

  8. 8 sabre1041 said at 10:47 pm on April 1st, 2014:

    John,

    You can add a form-login-config section to the login-config section of your web.xml. If SPNEGO authentication fails, it will fallback to the form based authentication

  9. 9 vrm said at 5:31 am on May 16th, 2014:

    I configured the jboss-eap-6.1 as mentioned in this tutorial when I test the negotiation toolkit security domain shows following error unable to obtain the password from user and secured showing 401 , can any one help

  10. 10 Spring Security without a login form | Questions and Answers Resource said at 12:37 pm on December 30th, 2014:

    […] The first thing that I need to do is identify who the user is. After reading Block 87’s article, I should start looking at SPNEGO and setting up each of the environments. From that point, I […]

  11. 11 Srini said at 10:38 am on October 1st, 2015:

    Hi Andy,

    Thanks a lot for very great tutorial on integrated windows authentication for web applications and it is very well described step by step in good detail.

  12. 12 Shyam said at 3:56 am on November 4th, 2015:

    Hi,
    I am configuring kerberos for JBOSS EAP 6.4. I followed all the steps mentioned in link https://access.redhat.com/webassets/avalon/d/Red_Hat_JBoss_Enterprise_Application_Platform-6.4-How_to_Setup_SSO_with_Kerberos-en-US/Red_Hat_JBoss_Enterprise_Application_Platform-6.4-How_to_Setup_SSO_with_Kerberos-en-US.pdf but getting
    15:24:43,139 INFO [stdout] (http-/127.0.0.1:8080-1) [Krb5LoginModule
    ] authentication failed
    15:24:43,140 INFO [stdout] (http-/127.0.0.1:8080-1) Client not found in Kerbero
    s database (6)

  13. 13 Patel said at 5:03 pm on February 18th, 2016:

    Hi everyone:I’ve aadelry completed each step of these processes. AD Users are able to authenticate through SQUID to surf by internet, BUT!! after 2 hours -sometimes more or less- suddenly some users -one or two- couln’t surf by Internet Internet Explorer requests for new credentials (user/password).. Then AD users type them, but They aren’t able to surf by internet I checked that an AD user type user/password correctly but the prompt appears every time From cache.log these lines are recorded:: -2011/02/10 17:58:15| squid_kerb_auth: Got YR YIIGJgYGKwYBBQUCoIIGGjCCBhagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBeAEggXcYIIF2AYJKoZIhvcSAQICAQBuggXHMIIFw6ADAgEFoQMCAQ6iBwMFACAAAACjggS7YYIEtzCCBLOgAwIBBaENGwtHSUxBVExBLkNPTaIoMCagAwIBAqEfMB0bBEhUVFAbFVBFUFJPWFkwMS5HSUxBVExBLkNPTaOCBHEwggRtoAMCARKhAwIBAqKCBF8EggRb0CrGoBRyYtVTklzkviLTrUm2PaUeSEwiOnTMPXpXZpiqlXeIzc7EyCtLUu5YIjr8kfWunnManLdfPzFZzvlpwSV5XgpvYimVwwjijX+1M6ASwLQAoMuW7p9Km7ebFGenPsfD2stMiKvi+abaw0oqp3262aYsQKCcN+qDXyU7whJ2Li9tr3MeRnYEc6QLXMbB2CDThA7KkRf+HosCJD54W8Wofk3h0RKERMYpUkfugI2kfakkcZS/QVE241CMj8Y+iF6YwcQTOZ1FLikPveTuZu4wbkR2ywyI5/OYq1iU5oKRmh+iG3XIUMdv8vtJ3c74zrwfAS387D1wfPVw1mnoCDC6mg2NtQa2POrEsJV116fakrRt6dDRK8v6uKFXyytkZG5H+9R8cwaYXYMhGvMVAd46RB62PYerDon0V/UZh9A8Yhr9xfmnQekvIgcZYlD2a8c+SgwRf3EoOYTxa2XF93uzyLM7N/7uw+Ud0J0oSlTOOZ8N5awJ43ISC+xVsqX+lHlEDhpGhYjxfLK6EZoOxdJA9eoWWDMkndgsAhRnK06kuwZWLxGq9m1QjX1THqTy+CK0NcD7FVEJ7DpVVWYHEZoETpJN6QmwIZnPq5TsJcRzOJiL03VtKZiM01vtUGTIw5bXTQZMZFA16GlTK1j0jynjxTMDCMGzJ0prk7q6Z4jtvRga3EJdgRf0HmsUDG/r+/lDECkpPV3L7drYCdqJuyJxdMOfJM5sqNtGKK/qKYlilkfAhwOPqk/hLIue3My44Am7vj8IaJkExpK1DpN3fcRIFwUlwf81CxI1jBF4wTfHlRdYwXVgci1pxlA8wnlD24Ebiacwz9EwQfj2VkUrZoeAyt3/gZrhVxyDfSyvhQcjXcLbUDGdOPjKdki4BVGhIo3wGN+1ZZjGnitDusb4ONIiU5Md1g6d325smXiLWvSFtiBhbVBFB6CByXLx18JJ57DVSgxjkVO6nhTloltEAb8vpsXipgHkeOkmFAcAILqtugP2jFe5kwE/aZ5X9kZTXCiRaOqJItniATP2a3DPqSP0Bpp0mHx6xZv3ZzPy50rZ1aKOGj5rUlVW/YuuW2ULB2weyen44OMvkhceLFAsXppnlAmQUFB5xf5Xy2HjEuktOi8Ka7lfR2rbaYykVaEWE3DEHbd8iF8Ws1emBIaSLekMtc9HjOq4DWdXYTTOmxPLbIvuagmjGqffaDnLIBhjV7IG6q07sah0cTVGdylq/qkGTjyxi/F0f1Pk8uEncVLQ9Kib4lq9+h5OOykifeAtboTSf09skjpMB+G7qa3QD+YOiiqA4PpolEnVrHFCbMm69USlfcppzQ2zklQIEIFNOAzWRkktVgqy74B8I8SWsPLCWz54Y3IvdS8nQYElCPd821QDjAao9vFuYOnELLmpAG0R5sEODqb+EKzXecsXr5vxVoBn5m9TgfbI6XCxQVfADaaaA1O9yhd3JNI6IeH69cWH0mhil68HxQOkge4wgeugAwIBEqKB4wSB4NRMfqBGyTBUUvPKKu1cKscC63v+d5WPmFbyYUYdZ0EB/USQZWSnhWMvbEWFLiRYThJG6UL4op4nNGuw+GuW6PKQi+eB97o4NSGqWN2kvtHtc0YAGSmMma17xIkhUfRtd9j1k/+K6kIKCFN96hDiapeppnE3Tj5fy0MQf+atYDaKV35ai7guVPFxRZFfBvvRdkLntEPAqy4JjIL8ySeUUYaaqyYM97Z6Db43KodJceoECCRZZ6Y1SELwFcKpBoBlGj670kZH1hPKwsncy80TxHSjz1xU1hgYBDRbKjtYP0cH’ from squid (length: 2107).2011/02/10 17:58:15| squid_kerb_auth: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Key table entry not found -I’ve been using:+RHEL 5.0+SQUID 3.0+modules: (squid_kerb_auth1.0.7 and squid_kerb_ldap1.2.1a) from squid.confI’ve configured the option debug_options ALL,1 33,2 28,9 in order to get more records.. but all these records aren’t useful.Can somebody help?Thanks in advance.

  14. 14 Ananta Aryadewa said at 9:54 am on June 27th, 2016:

    Great post and detailed explanation. However, I still have no clue how to implement this in the servlet. I am working on a Struts 1.3 app. And I need to add the SSO with the existing login system – backed in RDBMS. Is there any sample codes or a clue to implementing the SSO auth within an existing webapp?

  15. 15 Binh Thanh Nguyen said at 5:50 am on August 9th, 2016:

    Thanks, nice post

  16. 16 Peter said at 11:48 am on September 13th, 2016:

    Let’s discuss the not so uncommon case where there are not one but several Web Application servers. For example these may be duplicates of the same application (prod, uat, dev, etc) or they may simply be running different application.

    In this case would you recommend to create one AD account per app server or would it suffice to have only one AD account in ttal ? Of course the SPN and the keytab file needs to be per-server, I understand that much, but I’m not sure why you would need one AD account per server ??


Leave a Reply