Test result with trunk-tcp-20022010

Mar 26, 2010 at 7:40 AM
Edited Mar 26, 2010 at 7:43 AM

Tomcat Server

IP Address 10.0.1.94

# uname -a

SunOS sunsitora2 5.8 Generic_117350-35 sun4u sparc SUNW,Sun-Fire-V240

# /usr/jre/SUNWj6rt/reloc/jdk/instances/jdk1.6.0/bin/java -version

java version "1.6.0_17"

Java(TM) SE Runtime Environment (build 1.6.0_17-b04)

Java HotSpot(TM) Server VM (build 14.3-b01, mixed mode)

# /usr/apache-tomcat-6.0.26/bin/startup.sh

Using CATALINA_BASE:   /usr/apache-tomcat-6.0.26

Using CATALINA_HOME:   /usr/apache-tomcat-6.0.26

Using CATALINA_TMPDIR: /usr/apache-tomcat-6.0.26/temp

Using JRE_HOME:        /usr/jre/SUNWj6rt/reloc/jdk/instances/jdk1.6.0

Using CLASSPATH:       /usr/apache-tomcat-6.0.26/bin/bootstrap.jar

# more /usr/apache-tomcat-6.0.26/conf/Catalina/localhost/authbysspiv2.xml

<?xml version='1.0' encoding='utf-8'?>

<Context path="/authbysspiv2" docBase="/usr/apache-tomcat-6.0.26/tomcat6-authbysspiv2/authbysspiv2" >

  <Valve className="fr.doume.v2.authenticator.SSPAuthenticator" />

  <Realm className="fr.doume.v2.realm.WindowsRealm" />

  <Parameter name="serveraddress" value="10.0.10.103" override="false" />

</Context>

# ls /usr/apache-tomcat-6.0.26/tomcat6-authbysspiv2/

authbysspiv2  index.jsp

# ls /usr/apache-tomcat-6.0.26/lib/ | grep frdoumesspitc6v2.jar

frdoumesspitc6v2.jar

----------------------------------------------------------------------------------------------

Nego Server

Microsoft Windows XP [Version 5.1.2600]

Microsoft .NET Framework 2.0 Service Pack 2

IP Address 10.0.10.103

C:\>sc qc negoserver

[SC] GetServiceConfig SUCCESS

SERVICE_NAME: negoserver

        TYPE               : 10  WIN32_OWN_PROCESS

        START_TYPE         : 3   DEMAND_START

        ERROR_CONTROL      : 1   NORMAL

        BINARY_PATH_NAME   : C:\Documents and Settings\Administrator\Desktop\Negoserver\Negoserver.exe negoserver

        LOAD_ORDER_GROUP   :

        TAG                : 0

        DISPLAY_NAME       : negoserver

        DEPENDENCIES       :

        SERVICE_START_NAME : LocalSystem

----------------------------------------------------------------------------------------------

Test Result

1. On a domain member (domain\pc), logon with a domain user (domain\user), browse http://10.0.1.94:8080/authbysspiv2/

"Protected Page for Examples" is returned.

2. On a domain member (domain\pc), logon with a local user (localuser), browse http://10.0.1.94:8080/authbysspiv2/

"HTTP Status 401 - This request requires HTTP authentication ()." is returned.

3. On a work group member (pc), logon with a local user (localuser), browse http://10.0.1.94:8080/authbysspiv2/

logon with a local user (localuser) when prompted, "HTTP Status 401 - This request requires HTTP authentication ()." is returned.

logon with a domain user (domain\user) with right password when prompted, "Protected Page for Examples" is returned.

logon with a domain user (domain\user) with wrong password when prompted, "HTTP Status 401 - This request requires HTTP authentication ()." is returned.

----------------------------------------------------------------------------------------------

Question

1. Are the test results correct?

2. Would the domain which the PC joined be used to authenticate automatically?

3. If there is more than one domain in the network, how can I specify which domain is used to authenticate?

4. While user name and password are passed through HTTP, would they be transferred in plain test over the network?  Is it possible to encrypt it?

----------------------------------------------------------------------------------------------

Thanks a lot for your help !

Coordinator
Mar 26, 2010 at 5:36 PM

Hello,

I suppose that XP with the address 10.0.10.103 is a domain member.

1)The tests are correct.

2)Your users can be in on all the domains of the Active Directory forest.

3)You must give your account and password when the navigator is on a workstation which is not a domain member. In this case you can give the User Principal Name. For instance, if your domain is domaina.organization.org and your user name is domig, your UPN would be domig@domaina.organization.org.  You can use the Sam Account Name with the domain name, for instance DOMAINA\domig.

4)If your workstation is not a domain member,  you must give  your username and your password to IE (or Firefox) but they are not sent to the web server. They are used to create a token on the workstation: there is an authentication on the worksation with NTLM.

Dominique

Coordinator
Mar 27, 2010 at 1:07 AM

Hello,

With your configuration, you will use only NTLM. To use Kerberos, the user of your web application must associate your server name to an Active Directory account. In the file configure.txt, you can read the paragraph Configure NegoServer

If tomcat is running on Unix,
 1)you must define the address ot he server Windows in the file context.xml of your Tomcat application.
  Warning: Your file context.xml is copied into the directory /conf/Catalina/localhost of tomcat with the name of your application.
    After installation of your application, you must change the parameters into this last file.  
 2)Your clients  will be authenticated by NTLM.
    If you want to use Kerberos, the DNS name of the unix server must be associated to the Active Directory account used to run NegoServer.
   
    For instance, if the name of the server unix is unixsrv.test.net and
    Negoserver is running on negoserver.test.net with the account SYSTEM or Network Service, you type
    setspn -A HOST/negoserver.test.net TEST\negoserver
   
    If Negoserver is running with the account TEST\JDubois, you type     setspn -A HOST/negoserver.test.net TEST\JDubois
  
    You can find setspn.exe on the support tools of Windows 2003
3)If the navigator (IE or Firefox) is running on the same computer than the windows service Negoserver, the client will not be authenticated.

Dominique

Mar 29, 2010 at 7:55 AM
doumeguerin wrote:

2)Your users can be in on all the domains of the Active Directory forest.

Assume forestA contains domainA, domainB.  pcA is joined to domainA.  Do you mean all the users of domainA and domainB cound be authenticated on pcA?  Is there any extra setting?  Is it possible to restrict only users of domainA could be authenticated on pcA?

doumeguerin wrote:

4)If your workstation is not a domain member,  you must give  your username and your password to IE (or Firefox) but they are not sent to the web server. They are used to create a token on the workstation: there is an authentication on the worksation with NTLM.

Do you mean the username and password would only be used on pcA locally for token generation?  They would not be sent over network no matter with Kerberos or NTLM.

Coordinator
Mar 29, 2010 at 7:32 PM
Edited Mar 29, 2010 at 7:55 PM

Hello

1)To restrict the authorization to the users of domainA, add the role domainA\Domain Users to the roles of tomcat in the file web.xml.

http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx 

Domain Users; 

This group contains all domain users. By default, any user account created in the domain becomes a member of this group automatically. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group, on the print server, that has permissions for the printer). To restrict the autorization to the users of domainA, add the role domainA\Domain Users to the roles of tomcat in the file web.xml.  All the users of the forest will be authenticated but only the users of the domainA will have the authorizations. The others wiil have HTTP Status 403 - Access to the requested resource has been denied

<security-role>
      <role-name>domainA\Domain Users</role-name>
    </security-role>

Give the autorizations to this group but not to users, everyone and utilisateurs:

<auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
    <role-name>domainA\Domain Users</role-name>
</auth-constraint>

2) Yes.

You can verify. You can install a proxy on your worksation like fiddler. You can uncomment the reference to the valve RequestDumper in the file conf/server.xml and read the logs in catalina.log

<!-- The request dumper valve dumps useful debugging information about
           the request and response data received and sent by Tomcat.
           Documentation at: /docs/config/valve.html -->
      <!-- -->
      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
      <!-- -->

Remark: There is no prompt when the workstation and the user are members of the forest.

Dominique

 

Mar 30, 2010 at 4:49 AM

Thanks Dominique !  I would let you know if there is further question after test.

Hope there is a pure *NIX version with more option in the near future.

 

Thanks a lot !

Coordinator
Mar 30, 2010 at 11:33 AM
Edited Mar 30, 2010 at 11:37 AM

Hello,

I have an old version, only in java via GSS-API, without a dll, without a service on Windows. You can download the files frinseespstgss.jar and gssapi.txt. The configuration is not simple, but it works. If it is interesting, I could add the files to the zip file.

Dominique

 

Coordinator
Apr 21, 2010 at 6:22 AM

I give the version with GSS-API (trunk-gssapi) and remove the two files frinseespstgss.jar and gssapi.txt

Dominique