Differenze tra le versioni di "Domain authentication and SSO"
(→Create a service.keytab file) |
|||
(53 versioni intermedie di uno stesso utente non sono mostrate) | |||
Riga 1: | Riga 1: | ||
− | Domain connection(s) | + | = Configuration of Domain authentication in itmSUITE PMSM 8.X = |
+ | The following configuration will enable the use of domain credentials to login in itmSUITE PMSM as an alternative of local credentials. | ||
+ | |||
+ | In '''''[wildfly installation folder]\standalone\configuration\standalone.xml''''' add the following properties below node '''''<authentication>''''' : | ||
+ | |||
+ | <login-module code="org.jboss.security.auth.spi.PsmLdapLoginModule" flag="sufficient"> | ||
+ | <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> | ||
+ | <module-option name="java.naming.security.authentication" value="simple"/> | ||
+ | <module-option name="java.naming.provider.url" value="ldap://[Domain Controller]:[ldap port]"/> | ||
+ | <module-option name="bindDN" value="[Domain]\[Domain User]"/> | ||
+ | <module-option name="bindCredential" value="[Password]"/> | ||
+ | <module-option name="baseCtxDN" value="[Base DN]"/> | ||
+ | <module-option name="searchScope" value="SUBTREE_SCOPE"/> | ||
+ | <module-option name="baseFilter" value="(sAMAccountName={0})"/> | ||
+ | <module-option name="password-stacking" value="useFirstPass"/> | ||
+ | </login-module> | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Property !! Description !! Comment | ||
+ | |||
+ | |- | ||
+ | |<u>java.naming.provider.url</u> || URL of Domain Controller and ldap port || | ||
+ | |||
+ | |- | ||
+ | |<u>bindDN</u> || User existing in Domain. It shall be inserted in format [user]@[domain].local || | ||
+ | |||
+ | |- | ||
+ | |<u>bindCredential</u> || Password corresponding to above Bind User || | ||
+ | |||
+ | |- | ||
+ | |<u>baseCtxDN</u> || Domain in format "DC=[Domain],DC=[local]" || | ||
+ | |||
+ | |- | ||
+ | |<u>searchScope</u> || TBC || | ||
+ | |||
+ | |- | ||
+ | |<u>baseFilter</u> || TBC || | ||
+ | |||
+ | |} | ||
+ | |||
+ | = Configuration of Single Sign On with Kerberos in itmSUITE PMSM 8.X = | ||
+ | |||
+ | Prerequisites | ||
+ | # Windows 2003 Server SP2 Server (or higher) with AD controller set | ||
+ | # Windows Server 2003 Support Tools is installed on Windows 2003 server | ||
+ | # Computer with WildFly 10.1.0 is in the domain | ||
+ | # Clocks on computer with Windows Server and on computer with WildFly should be synchronized | ||
+ | |||
+ | == Create SPN Account == | ||
+ | In Domain Server: | ||
+ | * Go to menu “Start – Administrative Tools – Active Directory Users and Computers” and create new user [spn_user]. | ||
+ | |||
+ | Set properties: | ||
+ | |||
+ | "User cannot change password" | ||
+ | "Password never expires" | ||
+ | |||
+ | Optionally check following option to enable AES 256 Encryption for Kerberos Ticket | ||
+ | "This account supports Kerberos AES 256 bit encryption" | ||
+ | |||
+ | Example: | ||
+ | User logon name: | ||
+ | wildflyuser | ||
+ | |||
+ | Account Options: | ||
+ | "User cannot change password" checked | ||
+ | "Password never expires" checked | ||
+ | "This account supports Kerberos AES 256 bit encryption" checked | ||
+ | |||
+ | * Run setspn commands: | ||
+ | setspn –S HTTP/[appserver] [spn_user] | ||
+ | setspn –S HTTP/[appserver.domain.local] [spn_user] | ||
+ | |||
+ | where: | ||
+ | |||
+ | [appserver] – computer name of JBoss machine | ||
+ | [domain.local] – domain name | ||
+ | [spn_user] – SPN account login (created on previous step) | ||
+ | |||
+ | Example: | ||
+ | setspn –S HTTP/itmsuite_server wildflyuser | ||
+ | setspn –S HTTP/itmsuite_server.domain.local wildflyuser | ||
+ | |||
+ | To check if the settings are right run the next command: | ||
+ | |||
+ | setspn –L wildflyuser | ||
+ | |||
+ | Be careful that you do NOT register an SPN to more than one username. A username can have more than one SPN registered but an SPN can only have one username. | ||
+ | |||
+ | Avoid to copy/paste the setspn commands from a text editor to cmd window - it will not work. | ||
+ | Is necessary to edit the setspn commands into cmd window. | ||
+ | |||
+ | == Create a service.keytab file == | ||
+ | There are two possible ways to generate keytab file: using ktpass command of Windows or ktab of JDK package. | ||
+ | |||
+ | === Ktpass === | ||
+ | Run the following command to configure the Service Principal Mapping: | ||
+ | |||
+ | ktpass -out service.keytab -princ HTTP/[appserver]@[domain].local -pass * | ||
+ | -mapuser [DOMAIN]\[spn_user] | ||
+ | |||
+ | Enter the password for the user name, when prompted. | ||
+ | |||
+ | Where: | ||
+ | [appserver] – computer name of WildFly machine | ||
+ | [DOMAIN] – domain name | ||
+ | [spn_user] – SPN account login (created on previous step) | ||
+ | |||
+ | Example: | ||
+ | ktpass -out service.keytab -princ HTTP/itmsuite_server@domain.local -pass * -mapuser | ||
+ | DOMAIN\wildflyuser | ||
+ | |||
+ | |||
+ | This command will modify the login of SPN User into HTTP/[appserver] | ||
+ | |||
+ | === Ktab === | ||
+ | Run the following command to configure the Service Principal Mapping (from <JAVA_HOME>/bin directory): | ||
+ | |||
+ | ktab -k service.keytab -a HTTP/[appserver]@[domain].local –n 0 | ||
+ | |||
+ | Enter the password for the user name, when prompted. | ||
+ | |||
+ | Where: | ||
+ | [appserver] – computer name of WildFly machine; | ||
+ | [domain] – domain name | ||
+ | |||
+ | Example: | ||
+ | ktab -k service.keytab -a HTTP/itmsuite_server -n 0 | ||
+ | |||
+ | Kerberos authentication is very complicated thing and depends at first from Active Directory | ||
+ | configuration, security politics, etc. These two commands will work with default AD settings. | ||
+ | In case of there are any modifications in AD (some none-default encryption types for example), | ||
+ | these commands must be reviewed in order to add some extra options. | ||
+ | |||
+ | Complete the procedure by following steps: | ||
+ | * 1. Copy file service.keytab to <WILDFLY_HOME>/standalone/configuration | ||
+ | |||
+ | * 2. Replace all variables with actual values in file <WILDFLY_HOME>/standalone/configuration/standalone.xml: | ||
+ | |||
+ | <SERVER> with computer name of WildFly machine | ||
+ | <DOMAIN-NAME> with domain name | ||
+ | |||
+ | == Tuning of the krb5.conf file == | ||
+ | * Copy file Config/JbossHome/standalone/krb5.conf to to <WILDFLY_HOME>/standalone/configuration directory. | ||
+ | |||
+ | * Open file. It contains the next content: | ||
+ | TBC | ||
+ | |||
+ | * change these settings to actual values: | ||
+ | AD.KV4 – replace with actual domain name; | ||
+ | cerberos.ad.kv4 – replace with actual AD controller’s computer name (with domain). | ||
+ | |||
+ | === Tool to check Kerberos configuration === | ||
+ | |||
+ | ==== Klist ==== | ||
+ | Run following command to visualize the Kerberos Tickets on client (PC where browser is running): | ||
+ | |||
+ | Klist | ||
+ | |||
+ | ==== Kinit ==== | ||
+ | Following command will check the Kerberos Ticket requested by client (Application Server). | ||
+ | Run it from Application Server (where jboss is installed): | ||
+ | |||
+ | Navigate into [Java]\bin | ||
+ | kinit -J-Dsun.security.krb5.debug=true -J-Djava.security.krb5.conf=[Standalone folder]\krb5.conf -k -t | ||
+ | [Standalone folder]\service.keytab | ||
+ | HTTP/[SPN User]@[Domain].LOCAL | ||
+ | |||
+ | == Enabling Kerberos authorization in browser == | ||
+ | |||
+ | === Enabling Kerberos authorization in Internet Explorer === | ||
+ | |||
+ | * 1. Go to menu '''''Internet Options''''', tab <u>''Security''</u> and click on "Local Intranet" option. | ||
+ | |||
+ | * 2. Click on '''Sites''' button. In opened window make sure that the last three boxes are checked and click on the '''Advanced''' button. | ||
+ | |||
+ | Add you domain name into the list of Websites (example: "itmSUITE.local"): | ||
+ | |||
+ | * 3. Back to "Local Intranet" option: click on '''Custom Level'''. In opened window activate the next option: | ||
+ | |||
+ | '''''User authentication\Logon\Automatic logon only in Intranet zone''''' | ||
+ | |||
+ | * 4. Go to menu '''''Settings''''', tab <u>''Advanced''</u> | ||
+ | |||
+ | Enable option <u>Enable Integrated Windows Authentication</u>. | ||
+ | |||
+ | === Enabling Kerberos authorization in Mozilla Firefox === | ||
+ | |||
+ | * 1. Type "about:config" in the address bar. | ||
+ | * 2. In the <u>Filter</u> field type the following "network.automatic-ntlm-auth.trusted-uris" | ||
+ | * 3. Double click the name of the preference that we just searched for and enter ''[[glossary|itmSUITE]]'' installation URL (example: "http://intranet.itmsuite.eu" ) | ||
+ | |||
+ | = Import domain user in itmSUITE PMSM 8.X = | ||
+ | |||
+ | TBC | ||
+ | |||
+ | = Configuration of Domain authentication in itmSUITE PMSM 7.X = | ||
+ | The following configuration will enable the use of domain credentials to login in itmSUITE PMSM as an alternative of local credentials. | ||
+ | |||
+ | Domain connection(s) are managed in '''''General\System\LM Settings''''' with ''[[glossary|superadmin]]'' role. | ||
In tab <u>''LDAP Properties''</u> is possible to manage a list of domain connection(s). | In tab <u>''LDAP Properties''</u> is possible to manage a list of domain connection(s). | ||
− | Is possile to define connection(s) related to | + | Is possile to define connection(s) related to different domain(s) or to same domain but with different ''[[glossary|BaseDN]]''. |
{| class="wikitable" | {| class="wikitable" | ||
Riga 14: | Riga 213: | ||
|- | |- | ||
− | |<u>BaseDN</u> || The domain Distinguished Name || | + | |<u>BaseDN</u> || The domain Distinguished Name ||It shall contain the domain name parts separated by ",". |
− | + | ||
+ | <u>'''Example: itmSUITE.local shall be inserted as DC=itmSUITE,DC=local'''</u> | ||
− | + | Shall be possible define a precise OU of domain to be considered in connection | |
− | + | ||
+ | <u>'''Example: connection to Organizational Unit "TechUser" belongs to domain itmSUITE.local shall be inserted as OU=TechUsers,DC=itmSUITE,DC=local'''</u> | ||
|- | |- | ||
Riga 34: | Riga 235: | ||
|- | |- | ||
− | |<u>Configuration Name</u> || | + | |<u>Configuration Name</u> || Mandatory. The name of current Domain connection || |
|- | |- | ||
− | |<u>Host</u> || | + | |<u>Host</u> || Mandatory. Domain server address or host name || |
|- | |- | ||
− | |<u>Server Type</u> || | + | |<u>Server Type</u> || Mandatory. Type of domain controller || AD (active Directory) and OpenLDAP are supported |
|- | |- | ||
− | |<u>BaseDN</u> || | + | |<u>BaseDN</u> || Mandatory. The domain Distinguished Name ||It shall contain the domain name parts separated by ",". |
+ | |||
+ | <u>'''Example: itmSUITE.local shall be inserted as DC=itmSUITE,DC=local'''</u> | ||
+ | |||
+ | Shall be possible define a precise OU of domain to be considered in connection | ||
+ | |||
+ | <u>'''Example: connection to Organizational Unit "TechUser" belongs to domain itmSUITE.local shall be inserted as OU=TechUsers,DC=itmSUITE,DC=local'''</u> | ||
|- | |- | ||
− | |<u>Bind User</u> || | + | |<u>Bind User</u> || Domain user login || it will be used for current connection |
|- | |- | ||
− | |<u>Bind Password</u> || | + | |<u>Bind Password</u> || Domain user password || it will be used for current connection |
|- | |- | ||
− | |<u>Active</u> || | + | |<u>Active</u> || If checked: the connection is active || Current connection can't be active until it is not checked |
|- | |- | ||
− | |<u>Sample user's login</u> || | + | |<u>Sample user's login</u> || Domain user login used for check inserted parameters || |
|- | |- | ||
− | |<u>Sample user's password</u> || | + | |<u>Sample user's password</u> || Domain user password used for check inserted parameters || |
|- | |- | ||
− | |<u>Checked</u> || | + | |<u>Checked</u> || If checked: the connection has been verified || |
|} | |} | ||
Riga 70: | Riga 277: | ||
If at least 1 connection is active the ''[[glossary|user]]'' with same login on domain could use domain credentials instead of ''[[glossary|user]]'' credentials. | If at least 1 connection is active the ''[[glossary|user]]'' with same login on domain could use domain credentials instead of ''[[glossary|user]]'' credentials. | ||
+ | |||
+ | The basic condition to use domain credentials is: domain login shall exists into itmSUITE PMSM database too. | ||
+ | To support this basic condition: itmSUITE allows the Domain synchronization with '''import from LDAP''' function (see below). | ||
In this case the authentication follows these steps: | In this case the authentication follows these steps: | ||
Riga 80: | Riga 290: | ||
More than one connection to domain(s) can be active at the same time: in this case the above step 2 is executed on each active connection. | More than one connection to domain(s) can be active at the same time: in this case the above step 2 is executed on each active connection. | ||
− | = | + | = Configuration of Single Sign On with NTLM in itmSUITE PMSM 7.X = |
− | Import | + | SSO (Single Sign On) via <u>'''NTLM'''</u> and Microsoft <u>'''AD'''</u> ( <u>'''Active Directory'''</u> ) can be managed in '''''General\System\LM Settings''''' with superadmin role in Tab ''''NTLM''''. |
+ | |||
+ | {| class="wikitable" | ||
+ | ! Field !! Description !! Comment | ||
+ | |||
+ | |- | ||
+ | |<u>Active Directory Controller</u> || Domain server address or host name || | ||
+ | |||
+ | |- | ||
+ | |<u>Default Domain</u> || TBC || | ||
+ | |||
+ | |- | ||
+ | |<u>Checked</u> || If checked: the connection has been verified || | ||
+ | |||
+ | |- | ||
+ | |<u>Sample user's login</u> || Domain user login used for check inserted parameters || | ||
+ | |||
+ | |- | ||
+ | |<u>Sample user's password</u> || Domain user password used for check inserted parameters || | ||
+ | |||
+ | |} | ||
+ | |||
+ | = Configuration of Single Sign On with Kerberos in itmSUITE PMSM 7.X = | ||
+ | |||
+ | Prerequisites: | ||
+ | * Windows 2003 Server SP2 (or next) with AD controller set | ||
+ | * Windows Server Support Tools installed | ||
+ | * Computer with JBoss AS is in the domain | ||
+ | * Clocks on Domain Server and Server with JBoss AS should be synchronized | ||
+ | |||
+ | == Create SPN Account == | ||
+ | In Domain Server: | ||
+ | * Go to menu “Start – Administrative Tools – Active Directory Users and Computers” and create new user. | ||
+ | Set properties | ||
+ | “User cannot change password” | ||
+ | “Password never expires” | ||
+ | * Run setspn commands: | ||
+ | setspn –S HTTP/appserver wildflyuser | ||
+ | setspn –S HTTP/appserver.domain.local wildflyuser | ||
+ | |||
+ | where: | ||
+ | appserver – computer name of JBoss machine; | ||
+ | domain.local – domain name; | ||
+ | wildflyuser – SPN account login (created on previous step) | ||
+ | |||
+ | To check if the settings are right run the next command: setspn –L service_acc. | ||
+ | Avoid to copy/paste the setspn commands from a text editor to cmd window - it will not work. | ||
+ | Is necessary to edit the setspn commands into cmd window. | ||
+ | |||
+ | == Connect itmSUITE PMSM to Domain through SPN == | ||
+ | SSO (Single Sign On) via <u>'''Kerberos'''</u> and Microsoft <u>'''AD'''</u> ( <u>'''Active Directory'''</u> ) can be managed in '''''General\System\LM Settings''''' with superadmin role in Tab ''''NTLM2''''. | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Field !! Description !! Comment | ||
+ | |||
+ | |- | ||
+ | |<u>Active Directory Controller</u> || Domain server address or host name || | ||
+ | |||
+ | |- | ||
+ | |<u>SPN user's login</u> || TBC || | ||
+ | |||
+ | |- | ||
+ | |<u>SPN user's password</u> || TBC || | ||
+ | |||
+ | |- | ||
+ | |<u>Checked</u> || If checked: the connection has been verified || | ||
+ | |||
+ | |} | ||
+ | |||
+ | == Enabling SS= in browser == | ||
+ | |||
+ | === Enabling NTLM / Kerberos authorization in Internet Explorer === | ||
+ | |||
+ | * 1. Go to menu '''''Internet Options''''', tab <u>''Security''</u> and click on "Local Intranet" option. | ||
+ | |||
+ | * 2. Click on '''Sites''' button. In opened window make sure that the last three boxes are checked and click on the '''Advanced''' button. | ||
+ | Add you domain name into the list of Websites (example: "itmSUITE.local"): | ||
+ | |||
+ | * 3. Back to "Local Intranet" option: click on '''Custom Level'''. In opened window activate the next option: | ||
+ | |||
+ | '''''User authentication\Logon\Automatic logon only in Intranet zone''''' | ||
+ | |||
+ | * 5. Go to menu '''''Settings''''', tab <u>''Advanced''</u> and enable option <u>Enable Integrated Windows Authentication</u>. | ||
+ | |||
+ | ==== Enabling NTLM on PC with Windows 7 or Vista ==== | ||
+ | |||
+ | * 1. Press Windows button '''Start''', insert "regedit" and click on '''Ok'''. | ||
+ | * 2. Go to '''''HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa''''' | ||
+ | * 3. Verify the existence of attribute "LmCompatibilityLevel" | ||
+ | * 4. If it not exist create a new DWORD (right click on folder Lsa, click on '''New''' and select "Value DWORD (32 bit)" | ||
+ | * 5. Set attribute "LmCompatibilityLevel" with value "1" exadecimal (in details). | ||
+ | * 6. Reboot user PC. | ||
+ | |||
+ | ==== Enabling NTLM / Kerberos authorization in Mozilla Firefox ==== | ||
+ | |||
+ | * 1. Type "about:config" in the address bar. | ||
+ | * 2. In the <u>Filter</u> field type the following "network.automatic-ntlm-auth.trusted-uris" | ||
+ | * 3. Double click the name of the preference that we just searched for and enter ''[[glossary|itmSUITE]]'' installation URL (example: "http://intranet.itmsuite.eu" ) | ||
+ | |||
+ | = Import domain user in itmSUITE PMSM 7.X = | ||
+ | |||
+ | Domain user import can be managed in '''''General\System\Import from LDAP''''' with ''[[glossary|superadmin]]'' role. | ||
+ | |||
+ | The connection parameters can be selected by drop list <u>Use authentication configuration</u> or directly inserted. | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Field !! Description !! Comment | ||
+ | |||
+ | |- | ||
+ | |<u>Use authentication configuration</u> || Allows to select an existing domain connection || | ||
+ | |||
+ | |- | ||
+ | |<u>Host</u> || Domain server address or host name || | ||
+ | |||
+ | |- | ||
+ | |<u>BaseDN</u> || The domain Distinguished Name ||It shall contain the domain name parts separated by ",". | ||
+ | |||
+ | <u>'''Example: itmSUITE.local shall be inserted as DC=itmSUITE,DC=local'''</u> | ||
+ | |||
+ | Shall be possible define a precise OU of domain to be considered in connection | ||
+ | |||
+ | <u>'''Example: connection to Organizational Unit "TechUser" belongs to domain itmSUITE.local shall be inserted as OU=TechUsers,DC=itmSUITE,DC=local'''</u> | ||
+ | |||
+ | |- | ||
+ | |<u>Server Type</u> || Type of domain controller || AD (active Directory) and OpenLDAP are supported | ||
+ | |||
+ | |- | ||
+ | |<u>Username Attribute</u> || TBC || | ||
+ | |||
+ | |- | ||
+ | |<u>Bind User</u> || Domain user login || it will be used for current connection | ||
+ | |||
+ | |- | ||
+ | |<u>Bind Password</u> || Domain user password || it will be used for current connection | ||
+ | |||
+ | |- | ||
+ | |<u>Mail Option</u> || This section allows to define how to synchronize the existing domain user mail on itmSUITE user|| Add LDAP Mail to user (if not present): | ||
+ | |||
+ | Overwrite itmSUITE mail with LDAP mail: | ||
+ | |||
+ | |- | ||
+ | |<u>Add LDAP Mail to Notification Mail</u> || The mail will be activated on synchronized user notification addresses || | ||
+ | |||
+ | |- | ||
+ | |<u>Add LDAP Mail to Outbound Mail</u> || The mail will be activated on synchronized user message addresses || | ||
+ | |||
+ | |} | ||
+ | |||
+ | At click on button '''Next''' will be executed a search in domain matching user by login. | ||
+ | |||
+ | As result will be visualized a table with: | ||
+ | * 1. ''[[glossary|itmSUITE]]'' user not matched | ||
+ | * 2. ''[[glossary|itmSUITE]]'' user matched | ||
+ | * 3. Domain user not matched | ||
+ | |||
+ | The column <u>Login(LDAP)</u> allows to match manually the ''[[glossary|itmSUITE]]'' uesrs not matched automatically on domain user (this operation will overwrite current itmSUITE login with domain login). | ||
+ | |||
+ | By click on left checkbox is possible to select which users shall be imported / updated with data from domain. | ||
+ | |||
+ | At click on button '''Next''' a summary table will be visualized. | ||
+ | |||
+ | At click on button '''Next''' will be visualized a filter to select company and role for all the selected users. | ||
+ | |||
+ | At click on button '''Next''' the synchronization process will start: | ||
+ | * 1. Domain user selected but not matched will be created as new ''[[glossary|itmSUITE]]'' user | ||
+ | * 2. ''[[glossary|itmSUITE]]'' user selected and matched will be updated with data from domain | ||
== Schedule Import == | == Schedule Import == | ||
− | Import of domain user scheduling can be managed in MB (Message Bus) module and configured in Action Engine. | + | Import of domain user scheduling can be managed in ''[[glossary|MB]]'' (Message Bus) module and configured in ''[[glossary|Action Engine]]'' . |
− | |||
− | |||
− | + | In ''[[glossary|MB]]'' is possible to schedule a message with type "LDAP Synchronization": check in ''[[glossary|MB]]'' dedicated section for details. | |
− | + | In ''[[glossary|Action Engine]]'' is possible to create and ''[[glossary|action]]'' dedicated to call the "LDAP synchronization" process explained above: check in ''[[glossary|Action Engine]]'' dedicated section for details. |
Versione attuale delle 10:29, 5 feb 2018
Indice
- 1 Configuration of Domain authentication in itmSUITE PMSM 8.X
- 2 Configuration of Single Sign On with Kerberos in itmSUITE PMSM 8.X
- 3 Import domain user in itmSUITE PMSM 8.X
- 4 Configuration of Domain authentication in itmSUITE PMSM 7.X
- 5 Configuration of Single Sign On with NTLM in itmSUITE PMSM 7.X
- 6 Configuration of Single Sign On with Kerberos in itmSUITE PMSM 7.X
- 7 Import domain user in itmSUITE PMSM 7.X
Configuration of Domain authentication in itmSUITE PMSM 8.X
The following configuration will enable the use of domain credentials to login in itmSUITE PMSM as an alternative of local credentials.
In [wildfly installation folder]\standalone\configuration\standalone.xml add the following properties below node <authentication> :
<login-module code="org.jboss.security.auth.spi.PsmLdapLoginModule" flag="sufficient"> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> <module-option name="java.naming.security.authentication" value="simple"/> <module-option name="java.naming.provider.url" value="ldap://[Domain Controller]:[ldap port]"/> <module-option name="bindDN" value="[Domain]\[Domain User]"/> <module-option name="bindCredential" value="[Password]"/> <module-option name="baseCtxDN" value="[Base DN]"/> <module-option name="searchScope" value="SUBTREE_SCOPE"/> <module-option name="baseFilter" value="(sAMAccountName={0})"/> <module-option name="password-stacking" value="useFirstPass"/> </login-module>
Property | Description | Comment |
---|---|---|
java.naming.provider.url | URL of Domain Controller and ldap port | |
bindDN | User existing in Domain. It shall be inserted in format [user]@[domain].local | |
bindCredential | Password corresponding to above Bind User | |
baseCtxDN | Domain in format "DC=[Domain],DC=[local]" | |
searchScope | TBC | |
baseFilter | TBC |
Configuration of Single Sign On with Kerberos in itmSUITE PMSM 8.X
Prerequisites
- Windows 2003 Server SP2 Server (or higher) with AD controller set
- Windows Server 2003 Support Tools is installed on Windows 2003 server
- Computer with WildFly 10.1.0 is in the domain
- Clocks on computer with Windows Server and on computer with WildFly should be synchronized
Create SPN Account
In Domain Server:
- Go to menu “Start – Administrative Tools – Active Directory Users and Computers” and create new user [spn_user].
Set properties:
"User cannot change password" "Password never expires"
Optionally check following option to enable AES 256 Encryption for Kerberos Ticket
"This account supports Kerberos AES 256 bit encryption"
Example:
User logon name: wildflyuser
Account Options: "User cannot change password" checked "Password never expires" checked "This account supports Kerberos AES 256 bit encryption" checked
- Run setspn commands:
setspn –S HTTP/[appserver] [spn_user] setspn –S HTTP/[appserver.domain.local] [spn_user]
where:
[appserver] – computer name of JBoss machine [domain.local] – domain name [spn_user] – SPN account login (created on previous step)
Example:
setspn –S HTTP/itmsuite_server wildflyuser setspn –S HTTP/itmsuite_server.domain.local wildflyuser
To check if the settings are right run the next command:
setspn –L wildflyuser
Be careful that you do NOT register an SPN to more than one username. A username can have more than one SPN registered but an SPN can only have one username.
Avoid to copy/paste the setspn commands from a text editor to cmd window - it will not work. Is necessary to edit the setspn commands into cmd window.
Create a service.keytab file
There are two possible ways to generate keytab file: using ktpass command of Windows or ktab of JDK package.
Ktpass
Run the following command to configure the Service Principal Mapping:
ktpass -out service.keytab -princ HTTP/[appserver]@[domain].local -pass * -mapuser [DOMAIN]\[spn_user]
Enter the password for the user name, when prompted.
Where:
[appserver] – computer name of WildFly machine [DOMAIN] – domain name [spn_user] – SPN account login (created on previous step)
Example:
ktpass -out service.keytab -princ HTTP/itmsuite_server@domain.local -pass * -mapuser DOMAIN\wildflyuser
This command will modify the login of SPN User into HTTP/[appserver]
Ktab
Run the following command to configure the Service Principal Mapping (from <JAVA_HOME>/bin directory):
ktab -k service.keytab -a HTTP/[appserver]@[domain].local –n 0
Enter the password for the user name, when prompted.
Where:
[appserver] – computer name of WildFly machine; [domain] – domain name
Example:
ktab -k service.keytab -a HTTP/itmsuite_server -n 0
Kerberos authentication is very complicated thing and depends at first from Active Directory configuration, security politics, etc. These two commands will work with default AD settings. In case of there are any modifications in AD (some none-default encryption types for example), these commands must be reviewed in order to add some extra options.
Complete the procedure by following steps:
- 1. Copy file service.keytab to <WILDFLY_HOME>/standalone/configuration
- 2. Replace all variables with actual values in file <WILDFLY_HOME>/standalone/configuration/standalone.xml:
<SERVER> with computer name of WildFly machine <DOMAIN-NAME> with domain name
Tuning of the krb5.conf file
- Copy file Config/JbossHome/standalone/krb5.conf to to <WILDFLY_HOME>/standalone/configuration directory.
- Open file. It contains the next content:
TBC
- change these settings to actual values:
AD.KV4 – replace with actual domain name; cerberos.ad.kv4 – replace with actual AD controller’s computer name (with domain).
Tool to check Kerberos configuration
Klist
Run following command to visualize the Kerberos Tickets on client (PC where browser is running):
Klist
Kinit
Following command will check the Kerberos Ticket requested by client (Application Server). Run it from Application Server (where jboss is installed):
Navigate into [Java]\bin kinit -J-Dsun.security.krb5.debug=true -J-Djava.security.krb5.conf=[Standalone folder]\krb5.conf -k -t [Standalone folder]\service.keytab HTTP/[SPN User]@[Domain].LOCAL
Enabling Kerberos authorization in browser
Enabling Kerberos authorization in Internet Explorer
- 1. Go to menu Internet Options, tab Security and click on "Local Intranet" option.
- 2. Click on Sites button. In opened window make sure that the last three boxes are checked and click on the Advanced button.
Add you domain name into the list of Websites (example: "itmSUITE.local"):
- 3. Back to "Local Intranet" option: click on Custom Level. In opened window activate the next option:
User authentication\Logon\Automatic logon only in Intranet zone
- 4. Go to menu Settings, tab Advanced
Enable option Enable Integrated Windows Authentication.
Enabling Kerberos authorization in Mozilla Firefox
- 1. Type "about:config" in the address bar.
- 2. In the Filter field type the following "network.automatic-ntlm-auth.trusted-uris"
- 3. Double click the name of the preference that we just searched for and enter itmSUITE installation URL (example: "http://intranet.itmsuite.eu" )
Import domain user in itmSUITE PMSM 8.X
TBC
Configuration of Domain authentication in itmSUITE PMSM 7.X
The following configuration will enable the use of domain credentials to login in itmSUITE PMSM as an alternative of local credentials.
Domain connection(s) are managed in General\System\LM Settings with superadmin role.
In tab LDAP Properties is possible to manage a list of domain connection(s). Is possile to define connection(s) related to different domain(s) or to same domain but with different BaseDN.
Field | Description | Comment |
---|---|---|
Configuration Name | The name of current Domain connection | |
Host | Domain server address or host name | |
BaseDN | The domain Distinguished Name | It shall contain the domain name parts separated by ",".
Example: itmSUITE.local shall be inserted as DC=itmSUITE,DC=local Shall be possible define a precise OU of domain to be considered in connection Example: connection to Organizational Unit "TechUser" belongs to domain itmSUITE.local shall be inserted as OU=TechUsers,DC=itmSUITE,DC=local |
Server Type | Type of domain controller | AD (active Directory) and OpenLDAP are supported |
Active | If checked: the connection is active |
By click on button Add New is possible to add a domain connection by filling the following properties
Field | Description | Comment |
---|---|---|
Configuration Name | Mandatory. The name of current Domain connection | |
Host | Mandatory. Domain server address or host name | |
Server Type | Mandatory. Type of domain controller | AD (active Directory) and OpenLDAP are supported |
BaseDN | Mandatory. The domain Distinguished Name | It shall contain the domain name parts separated by ",".
Example: itmSUITE.local shall be inserted as DC=itmSUITE,DC=local Shall be possible define a precise OU of domain to be considered in connection Example: connection to Organizational Unit "TechUser" belongs to domain itmSUITE.local shall be inserted as OU=TechUsers,DC=itmSUITE,DC=local |
Bind User | Domain user login | it will be used for current connection |
Bind Password | Domain user password | it will be used for current connection |
Active | If checked: the connection is active | Current connection can't be active until it is not checked |
Sample user's login | Domain user login used for check inserted parameters | |
Sample user's password | Domain user password used for check inserted parameters | |
Checked | If checked: the connection has been verified |
A domain connection shall be activable only after it was checked: use button Check to verify it.
At click on button Check: itmSUITE will send a request to domain with inserted credentials.
If at least 1 connection is active the user with same login on domain could use domain credentials instead of user credentials.
The basic condition to use domain credentials is: domain login shall exists into itmSUITE PMSM database too. To support this basic condition: itmSUITE allows the Domain synchronization with import from LDAP function (see below).
In this case the authentication follows these steps:
- 1. itmSUITE checks if login inserted is existing in its DB, otherwise access is not allowed.
- 2. itmSUITE sends a request with pair login, password to domain controller.
- 3. The domain controller checks if the login inserted is existing in domain and if password is correct.
- 4. If domain controller response is positive: itmSUITE allows access.
- 5. If domain controller response is negative: itmSUITE checks password on its DB and grants access if check is positive, otherwise access is not allowed.
More than one connection to domain(s) can be active at the same time: in this case the above step 2 is executed on each active connection.
Configuration of Single Sign On with NTLM in itmSUITE PMSM 7.X
SSO (Single Sign On) via NTLM and Microsoft AD ( Active Directory ) can be managed in General\System\LM Settings with superadmin role in Tab 'NTLM'.
Field | Description | Comment |
---|---|---|
Active Directory Controller | Domain server address or host name | |
Default Domain | TBC | |
Checked | If checked: the connection has been verified | |
Sample user's login | Domain user login used for check inserted parameters | |
Sample user's password | Domain user password used for check inserted parameters |
Configuration of Single Sign On with Kerberos in itmSUITE PMSM 7.X
Prerequisites:
- Windows 2003 Server SP2 (or next) with AD controller set
- Windows Server Support Tools installed
- Computer with JBoss AS is in the domain
- Clocks on Domain Server and Server with JBoss AS should be synchronized
Create SPN Account
In Domain Server:
- Go to menu “Start – Administrative Tools – Active Directory Users and Computers” and create new user.
Set properties “User cannot change password” “Password never expires”
- Run setspn commands:
setspn –S HTTP/appserver wildflyuser setspn –S HTTP/appserver.domain.local wildflyuser
where: appserver – computer name of JBoss machine; domain.local – domain name; wildflyuser – SPN account login (created on previous step)
To check if the settings are right run the next command: setspn –L service_acc. Avoid to copy/paste the setspn commands from a text editor to cmd window - it will not work. Is necessary to edit the setspn commands into cmd window.
Connect itmSUITE PMSM to Domain through SPN
SSO (Single Sign On) via Kerberos and Microsoft AD ( Active Directory ) can be managed in General\System\LM Settings with superadmin role in Tab 'NTLM2'.
Field | Description | Comment |
---|---|---|
Active Directory Controller | Domain server address or host name | |
SPN user's login | TBC | |
SPN user's password | TBC | |
Checked | If checked: the connection has been verified |
Enabling SS= in browser
Enabling NTLM / Kerberos authorization in Internet Explorer
- 1. Go to menu Internet Options, tab Security and click on "Local Intranet" option.
- 2. Click on Sites button. In opened window make sure that the last three boxes are checked and click on the Advanced button.
Add you domain name into the list of Websites (example: "itmSUITE.local"):
- 3. Back to "Local Intranet" option: click on Custom Level. In opened window activate the next option:
User authentication\Logon\Automatic logon only in Intranet zone
- 5. Go to menu Settings, tab Advanced and enable option Enable Integrated Windows Authentication.
Enabling NTLM on PC with Windows 7 or Vista
- 1. Press Windows button Start, insert "regedit" and click on Ok.
- 2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- 3. Verify the existence of attribute "LmCompatibilityLevel"
- 4. If it not exist create a new DWORD (right click on folder Lsa, click on New and select "Value DWORD (32 bit)"
- 5. Set attribute "LmCompatibilityLevel" with value "1" exadecimal (in details).
- 6. Reboot user PC.
Enabling NTLM / Kerberos authorization in Mozilla Firefox
- 1. Type "about:config" in the address bar.
- 2. In the Filter field type the following "network.automatic-ntlm-auth.trusted-uris"
- 3. Double click the name of the preference that we just searched for and enter itmSUITE installation URL (example: "http://intranet.itmsuite.eu" )
Import domain user in itmSUITE PMSM 7.X
Domain user import can be managed in General\System\Import from LDAP with superadmin role.
The connection parameters can be selected by drop list Use authentication configuration or directly inserted.
Field | Description | Comment |
---|---|---|
Use authentication configuration | Allows to select an existing domain connection | |
Host | Domain server address or host name | |
BaseDN | The domain Distinguished Name | It shall contain the domain name parts separated by ",".
Example: itmSUITE.local shall be inserted as DC=itmSUITE,DC=local Shall be possible define a precise OU of domain to be considered in connection Example: connection to Organizational Unit "TechUser" belongs to domain itmSUITE.local shall be inserted as OU=TechUsers,DC=itmSUITE,DC=local |
Server Type | Type of domain controller | AD (active Directory) and OpenLDAP are supported |
Username Attribute | TBC | |
Bind User | Domain user login | it will be used for current connection |
Bind Password | Domain user password | it will be used for current connection |
Mail Option | This section allows to define how to synchronize the existing domain user mail on itmSUITE user | Add LDAP Mail to user (if not present):
Overwrite itmSUITE mail with LDAP mail: |
Add LDAP Mail to Notification Mail | The mail will be activated on synchronized user notification addresses | |
Add LDAP Mail to Outbound Mail | The mail will be activated on synchronized user message addresses |
At click on button Next will be executed a search in domain matching user by login.
As result will be visualized a table with:
The column Login(LDAP) allows to match manually the itmSUITE uesrs not matched automatically on domain user (this operation will overwrite current itmSUITE login with domain login).
By click on left checkbox is possible to select which users shall be imported / updated with data from domain.
At click on button Next a summary table will be visualized.
At click on button Next will be visualized a filter to select company and role for all the selected users.
At click on button Next the synchronization process will start:
- 1. Domain user selected but not matched will be created as new itmSUITE user
- 2. itmSUITE user selected and matched will be updated with data from domain
Schedule Import
Import of domain user scheduling can be managed in MB (Message Bus) module and configured in Action Engine .
In MB is possible to schedule a message with type "LDAP Synchronization": check in MB dedicated section for details.
In Action Engine is possible to create and action dedicated to call the "LDAP synchronization" process explained above: check in Action Engine dedicated section for details.