How To
Summary
How to Setup Single Sign-On (SSO) for HTTP requests using SPNEGO authentication in WebSphere Application Server
Objective
Objectives
SPNEGO - Simple and Protected GSS-API Negotiation
SPNEGO is a protocol that is specified in RFC 2478 and is defined by Microsoft for exchanging credentials from a client to a web server over HTTP.
Microsoft Windows desktop users are allowed to access applications hosted on the WebSphere Application Server without having to authenticate (Single sign-on capability).
Mechanism
A user who is authenticated to Windows, obtaining Active Directory credentials opens a browser and accesses a web application that is deployed on a WebSphere Application Server, which supports SPNEGO.
Web authentication is a server-side solution in the WebSphere Application Server. Client-side applications are responsible for generating the SPNEGO token for use by SPNEGO web authentication. The following token details are provided based on the Microsoft blog post. https://docs.microsoft.com/en-us/previous-versions/ms995330(v=msdn.10)?redirectedfrom=MSDN
The previously mentioned diagram places SPNEGO as the topmost level as it is a collection of abstraction layers that ultimately end in Kerberos tickets. The binary layout of the tokens is built by using ASN.1 Distinguished Encoding Rules (DER). SPNEGO tokens wrap mechanism-specific data as follows:
1. SPNEGO
2. GSS-API
3. Kerberos version 5 GSS-API Mechanism
4. Kerberos version 5
Kerberos
What is the difference between Kerberos and SPNEGO, and how are these services used in the WebSphere Application Server?
Environment
How Does SPNEGO Works in the WebSphere Application Server?
This section highlights the essential parts of the SPNEGO authentication process flow. It explains how Microsoft and IBM components are involved in the SPNEGO SSO flow.
In this scenario, a user authenticates to Windows (obtaining Active Directory credentials) by using a web browser client that invokes a web application deployed on a WebSphere server that supports SPNEGO. The sequence of steps for SSO communication is as follows:
1. After the user logs in to the Windows Domain from their workstation (PC/Laptop), the user attempts to access the secured web resources by using a browser with a URL. For Example, http://ramlinux1.fyre.ibm.com:9080/snoop, that is, the browser sends an HTTP request to WebSphere Application Server
2. WebSphere Application Server receives the HTTP request from the Client (Windows Client).
3 & 4. WebSphere Application Server performs a DNS lookup as an HTTP request comes in. The WebSphere Application Server SPNEGO filter determines whether or not to intercept the request and respond with an HTTP challenge-response (HTTP 401) containing an "Authenticate: Negotiate" header.
Note: All of the activity from step 5 through step 11 involves communication outside of WAS/Java, between the Microsoft client PC and the KDC server. WAS/Java has no control input into or control over these steps
5. The client recognizes the Negotiate header because it is configured to support "Integrated Windows Authentication."
5a. The browser issues a DNS lookup for the hostname server1.rtp.raleigh.ibm.com; If the DNS server returns an A-record with the IP address for server1.rtp.raleigh.ibm.com it is considered to be the canonical DNS name of the WebSphere Application Server instance. However, if the DNS server replies with a CNAME (DNS alias) record for server1.rtp.raleigh.ibm.com and then resolves the alias to an A-record with a different hostname, server2.rtp.raleigh.ibm.com, then this second hostname is considered to be the canonical DNS name of the WebSphere Application Server instance.
Understanding A-Record and CNAME as follows
An A-record is used if you manage what IP addresses are assigned to a particular workstation or if a static IP is used.
A Canonical Name, or CNAME, the record is used if you want to map one domain name (an alias) to another (the canonical name).
7. The client requests a Ticket Granting Ticket (TGT) from the Kerberos Authentication Service (AS) as_request (AS_REQ) where the client PC tells the KDC server "Hi, I am "myuser" can I have a ticket for getting tickets?"
8. The client receives a TGT. as_reply (AS_REP). KDC provides an example, "Here's a ticket-granting ticket", encrypted with "myuser" secret key.
9. The client requests a service ticket from the Kerberos Ticket Granting Service (TGS) (tgs_request (TGS_REQ). Again, the client computer asks the KDC server, "Here is my TGT, could I have a ticket for the requested service that is HTTP/ramlinux1.fyre.ibm.com @WASSEC-L2.LOCAL?"
A service ticket is encrypted with the server's key, with the encryption type AES256 in the TGS) for the SPN, for example, HTTP/ramlinux1.fyre.ibm.com @WASSEC-L2.LOCAL The client constructs the SPN by parsing the requested URL for the protocol and the hostname, and uses the client's own domain name as the Kerberos Security Realm: <protocol>/<host's FQDN>@<Client's Kerberos Security Realm>
10. The client receives the service ticket. The ticket is encrypted by using a private key. The private key is a key constructed from the hash of the user account's password for the account associated with the SPN. Tickets contain a copy of the session key and some metadata, all encrypted with the service’s secret. Likewise, the user’s copy of the session key is encrypted using the password. The tgs_reply (TGS_REP) contains the ticket that is sent to WebSphere Application Server. Here you can see the client name (the user that logged on to the client), which is myuser@AUSTIN.IBM.COM
11. The client (Browser/PC) resends the original request for the secured resource. The request headers now contain "Authorization: Negotiate <base64 encoding>" (for example, Authorization: Negotiate YIIGUQY<remainder of base64 encoded string>). This time, the username is contained in the encrypted Kerberos service ticket, encapsulated in an SPNEGO token (SPNEGO token is a container of authentication method ids/tokens) passed via an HTTP Authorization header.
12. WebSphere Application Server sees the HTTP Authorization header with the SPNEGO token (Authorization: Negotiate YIIGUQY). This SPNEGO token is a wrapper of the Windows Kerberos token. Windows includes the PAC information of the user in the Kerberos token. WebSphere Application Server extracts the token that uses the IBM Java Generic Security Service (JGSS) AP, and uses the keytab to decrypt (this process validates that it must come from the TGS) the SPNEGO token to retrieve the username, and this username is asserted to the server. You can map the username to a principal that is meaningful in the server's registry.
13. The server's security system validates the user against its security registry and obtains other security information about the user. The user is logged in to the server.
14. The server caches this user security information in an in-memory object known as a Java Subject to avoid further authentication challenges. Specifically, on WebSphere Application Server, the GSS delegation credential is retrieved and placed in the client Subject, and a Lightweight Third-Party Authentication (LTPA) security token is created.
15. The server sends the content back to the user together with the LTPA token as a cookie. This cookie enables subsequent requests to the same WebSphere SSO domain to be sent without a reauthentication needing to occur.
a. If the user is authorized to access the resource, the response is an HTTP 200 response, and the requested resource is served.
b. If not, an "HTTP 403 Not Authorized" response is sent to the client.
SPNEGO Checklist
Before you configure SPNEGO, ensure that you have the following items available:
- A Microsoft Windows Server with Active Directory Domain controller configured as Kerberos Key Distribution Center (KDC) server.
- Windows Client to access the Application hosted on WebSphere Application Server. This client can be a Microsoft Windows domain member that has a user who can log in into a Windows domain (KDC Server) and this client can have a browser (Internet Explorer, Firefox, Chrome, and so on) or a Microsoft .NET client, that supports the SPNEGO authentication mechanism, as defined in IETF RFC 2478.
- Server-side WebSphere Application Server full profiles that are configured with application security and administrative security to use Active Directory (LDAP).
- An application hosted on WebSphere Application Server that has JEE-protected resources. The users on the Active Directory (LDAP) must access the application by using an existing WebSphere Application Server authentication mechanism such as a form or basic authentication login.
- Ensure that the clocks on all three machines (Client, WebSphere Application Server, and KDC) are synchronized (within five minutes).
- If you want to use AES256 for the encryption type, you must use the Java Unrestricted JDK policy files.
Steps
High-Level Steps for SPNEGO configuration
|
Step 1. Set up Active Directory users and Map the service principal name (SPN). Step 2. Configure LDAP user registry on WebSphere Application Server. Step 3. Deploy the sample application DefaultApplication(snoop) on WebSphere Application Server. Step 4. Set up Kerberos configuration file on WebSphere Application Server. Step 5. Enable SPNEGO authentication on WebSphere Application Server. Step 6. Configure Microsoft Edge and Firefox browser on Client Workstation. Step 7. Test the snoop application to validate the spnego on the Client Workstation. |
1. Set up Active Directory users and Map the service principal name (SPN).
Log on to the Active Directory Domain Controller Server (KDC server) with administrative level user name and password and then create a service account to map the SPN in Active Directory.
Create a user account for WebSphere Application Server in Microsoft Active Directory (KDC server). This account is eventually mapped to the Kerberos service principal name (SPN). This user account represents the WebSphere Application Server as being a "Kerberize'd" service with the KDC. Make sure select the password never expires, and the User cannot change the password. By preventing the password from expiring, you avoid having to re-create the keytab file after the password is changed.
Note: The following username and domain name are demonstrated as an example.
If you want to use higher encryption keys, check the option “This account support AES 256 encryptions” in user properties.
Create a service principal name (SPN) and Map the service principal name to the account that you created on the AD server. So In this example, the Active Directory user is spnmapuser, and it is associated with service name HTTP/ by running the ktpass command on the domain controller.
Always use the latest version of the ktpass for the right Windows version.
The realm name is all uppercases of the MS Active Directory domain name.
SPN is the Kerberos service principal name. The hostname specified in the SPN needs to match with the hostname of the URL that you are trying to do SSO, which means it could be your Webserver or VIP or WebSphere Application Server depends on your scenario.
Generate the keytab file by using the Microsoft ktpass command on Active Directory Domain Controller Server (KDC server)
ktpass -princ hostname_of_web_site@ACTIVE_DIRECTORY_DOMAIN_NAME -ptype KRB5_NT_PRINCIPAL -mapuser SPNMAPuser -mapOp set -pass your_spnmapuser_password -out full_path_to_keytab_file -crypto cipher +DumpSalt
Create the Kerberos keytab file and make it available to the WebSphere Application Server instance. Use the ktpass tool to create the Kerberos keytab file. Example ktpass command on KDC server to generate the keytab
Example command:
hostname_of_web_site = mywebsitehost.rtp.raleigh.ibm.com
ACTIVE_DIRECTORY_DOMAIN_NAME = AUSTIN.IBM.COM
mapUser = The keytab is linked to AD account spnmapuser
mapOp set = Links the SPN to the AD account
your_spnumapser_password = Existing password that used by this account spnmapuser
-ptype KRB5_NT_PRINCIPAL = Principle type is Kerberos version 5
cipher = encryption type AES256-SHA1 that you want to use by Kerberos client
DumpSalt = Displays the MIT SALT generating the keytab, and it illustrates how ktpass hash the password
ktpass -princ HTTP/ramlinux1.fyre.ibm.com@WASSEC-L2.LOCAL -ptype KRB5_NT_PRINCIPAL -mapUser spnmapuser -mapOp set -pass Passw0rd@$# -out c:\was-keytab\WASServer.keytab -crypto AES256-SHA1 +DumpSalt
By default, "User Logon Name == samaccountname" In the previously mentioned command -mapOp set Flush other Service Principal Names/User logon names that are associated with the user and set the one provided by -princ.
Important: Make sure that you do not have the same service principal names (SPNs) mapping to more than one user account in Active Directory Server (KDC). If you map the same SPN to more than one user account, then the web browser client can send will use an NTLM token instead of an SPNEGO token to WebSphere Application Server. WebSphere Application Server doesn't support NTLM token.
Copy keytab from KDC server (Microsoft AD Domain Name) to the WebSphere Application Server instance
For more information, see (NOTE: Link is external to IBM):
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass
If your Microsoft setspn command version supports the -X option to search for a duplicated SPN, use setspn -X to check the entire Domain.
2. Configure LDAP user registry on WebSphere Application Server.
The following demonstration is given on how to configure WebSphere Application Server to use a stand-alone LDAP user registry.
Important: If you don't want to configure the WebSphere Application Server user registry to be LDAP (Microsoft Active Directory), then you need to make sure that the user ID existing with any user registry (such as custom user registry or other LDAP servers) or you need to create a customer-specific custom code, typically in the form of a LoginModule. The mechanics of these LoginModules are beyond the IBM support scope. For more information on building your own custom login module to perform any custom mapping of a client Kerberos principal name to the WebSphere user registry identity, you can refer to the following link:
Mapping of a client Kerberos principal name to the WebSphere user registry ID
Note: It is recommended to set up the Microsoft Active Directory LDAP in a WebSphere Federated Repository. If you need further instructions on how to configure an LDAP Federated Repository for WebSphere, you can refer to the following IBM support TV link:
How do I add an LDAP to the WebSphere federated repository setup
https://www.youtube.com/watch?v=1g3zOX6o1dw
1. Open the administrative console.
Type http://localhost:port_number/ibm/console to access the administrative console in a web browser.
Port 9060 is the default port number for accessing the administrative console.
2. Click Security > Global security; in the security page, under the User Account repository down section > Select the Standalone LDAP registry from Available realm definitions, as shown in the following example
3. Click Configure > Under General properties where you can configure all the appropriate settings to configure WebSphere Application Server to use an LDAP repository.
You need the following items from your LDAP team
1. Primary Administrative username (LDAP user)
2. LDAP hostname
3. LDAP port
4. Base distinguished Name (DN)
5. Bind distinguished name (DN)
6. Bind password
7. If you are not using default filters, then you need to ask your LDAP admin about custom filter details for users and groups.
Once the required fields are completed, click Apply. Then, click Save when prompted with the following message:
Navigate back to the previous Global security page and select Standalone LDAP registry from the Available realm definition and click Set as a current button, and ensure that application security is enabled.
Click Apply. Then, click Save when prompted with the following message:
Restart all WebSphere Application Server profiles such as the DMGR, node agents, and all application servers.
Install the WebSphere Application Server Default Application (snoop)
1. Open the administrative console.
Type http://localhost:port_number/ibm/console to access the administrative console in a web browser.
Port 9060 is the default port number for accessing the administrative console.
2.Click Applications > New Application > New Enterprise Application
3. Click the Browse button under Remote file system > click your Nodename > click Appserver > click installableApps
4. Click Next. On the "Preparing for the application installation" page, ensure that Fast Path (default) is chosen for "How do you want to install the application?"
5. Click Map modules to servers page, select the Default Web Application, and then select your application server click Apply and Next.
6. Click the Summary link and Click Finish to save the changes to the master configuration
7. Once it is deployed, check Click Applications > Application Types > WebSphere enterprise applications. The new application, DefaultApplication, is stopped. To start the application, select DefaultApplication.ear, and then click start.
8. Make sure you sync all nodes with dmgr. Click System Administration Nodes > Select the Node for the server, and then click Synchronize.
Make sure to test the Snoop application without spnego SSO configuration. Snoop servlet requests a basic auth prompt for login where you can manually enter your LDAP username and password.
4. Set up Kerberos configuration file on WebSphere Application Server.
Enter the command wsadmin to start the wsadmin tool. If prompted, enter the username and password for your WebSphere Application Server Administrator username.
Enter the following wsadmin command to create the Kerberos configuration file
$AdminTask createKrbConfigFile {-krbPath <path to config file with filename> -realm <KERBEROS REALM> -kdcHost <Active Directory hostname> -dns <DNS domain> -keytabPath <keytab filename>}
encryption: This parameter identifies the list of supported encryption types, separated by a pipe character. The default value is des-cbc-md5 and rc4-hmac. If you want to use AES256 or AES128, then you pass the argument encryption type in the wsadmin command. More details are given in the following example
DNS: A list of default domain name services DNS, separated by a pipe character that is used to produce a fully qualified hostname. The first one in the list is the default domain name service. More details are given in the following example
For example, if you are using web application URL https://ramlinux1.fyre.ibm.com/myapp, then your DNS name <DNS domain> is fyre.ibm.com, and your KDC Realm name (KERBEROS REALM) is WASSEC-L2.LOCAL (Microsoft AD Domain Name). In this case, you are mapping the DNS for the URL with the KDC realm name (Microsoft AD Domain Name)
realm: realm name is all UPPERCASE (WASSEC-L2.LOCAL) of the Microsoft AD Domain Name
Ensure that the keytab file location matches with the location defined in the krb5.ini or .conf file and that the KDC server (MSAD) hostname entry resolves successfully
WASSEC-L2.LOCAL
For more information, see:
Creating a Kerberos configuration file
https://www.ibm.com/docs/en/was-nd/9.0.5?topic=server-creating-kerberos-configuration-file
Sample of Kerberos Configuration file Krb5.ini & Krb5.conf
From a command line, navigate to the bin directory for the Deployment Manager, cd to /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin
Use the wsadmin command utility to create a krb5.ini/krb5.conf file
Note: Copy keytab from KDC server to the WebSphere Application Server system to the same directory path where the krb5 file exists. If you have multiple nodes within the cell, then you can copy the krb5.ini or Krb5.conf under the same directory path (example path: /spnego) so that all node servers to the same location where they can access this file.
$AdminTask createKrbConfigFile {-krbPath /spnego/krb5.conf -realm WASSEC-L2.LOCAL -kdcHost waskdc1.fyre.ibm.com -dns fyre.ibm.com -encryption aes256-cts-hmac-sha1-96 -keytabPath /spnego/WASServer.keytab}
Use Java klist –k command to view the keytab file content
On the WebSphere Application Server instance, you can verify that the Kerberos keytab file is valid with the correct encryption by using the following command, and it returns your spn's list and encryption types on your keytab.
<WAS_JAVA_HOME>/jre/bin/java com.ibm.security.krb5.internal.tools.Klist -e –k <keytab file>
Example shows an example of the correct output and Sample Klist output
cd /opt/IBM/WebSphere/AppServer/java/8.0/jre/bin and run the following command.
./java com.ibm.security.krb5.internal.tools.Klist -e –k -K /spnego/WASServer.keytab
5. Enable SPNEGO authentication on WebSphere Application Server.
1. Open the administrative console.
Type http://localhost:port_number/ibm/console to access the administrative console in a web browser.
Port 9060 is the default port number for accessing the administrative console.
Note: Don’t click Kerberos configuration. You don’t need Kerberos configuration for spnego authentication configuration. Kerberos authentication is required only when your application making a Kerberos call. In essence, WebSphere communicates directly with the KDC server to get the Kerberos token for your application login.
By convention, a Kerberos service principal name (SPN) is divided into three parts: the primary, the instance, and the Kerberos realm name. The SPNEGO service name must be HTTP, so the Kerberos service principal name for SPNEGO web is HTTP/<fully qualified host name>@KERBEROS_REALM. The SPN is used to validate the incoming SPNEGO token and to establish a security context with a requester.
Enter a fully qualified hostname in the hostname field. The hostname must part of your SPN that exists under your keytab file. In our example spn hostname is ramlinux1.fyre.ibm.com.
Enter Kerberos realm name field, and you must define it in uppercase letters. In our example, Kerberos realm is WASSEC-l2.LOCAL
Select Trim Kerberos realm from principal name option
Important: If there is no alias configured, ensure that the "Use the alias hostname for the application server" option is not selected. The application server performs a DNS lookup as an HTTP request comes in, and if the alias hostname is resolved as a hostname that is already configured for SPNEGO single sign-on (SPN in keytab and Spnego filter), the application server continues to process it.
Enter the Kerberos configuration file name with its full path, or click Browse to locate it. Our example path is /spnego/krb5.conf. The Keytab path is automatically read from this Kerberos configuration file /spnego/krb5.conf
Important:- If you have multiple nodes within the cell then, you need to copy the krb5.conf or WASServer.keytab under the same directory path (In our example path: /spnego) so that all node servers to the same location where it can access this file.
Note: If you don't define krb5 conf location in spnego web authentication configuration, then WebSphere runtime code searches for the Kerberos configuration files in the order as follows
- The file referenced by the system property java.security.krb4.conf
- Windows looks for c:\winnt\krb5.ini
- Unix looks for /etc/krb5.conf
Make sure Full synchronization of the node with dmgr.
For more information, see
Enabling and configuring SPNEGO web authentication using the administrative console
https://www.ibm.com/docs/en/was/9.0.5?topic=csshruswa-enabling-configuring-spnego-web-authentication-using-administrative-console
6. Configure Microsoft Edge and Firefox browser on Client Workstation.
Make sure the client workstation is part of a window domain for which SSO is defined. In the following example, the client workstation mypc1.fyre.ibm.com is a member of the domain controller WASSEC-l2.LOCAL. Log on to the Windows Desktop with a user name from the domain. In the following example domain user is "myuser".
Note: Internet Explorer, Microsoft Edge, and Google Chrome Browser use the same settings as described in the following section:
On the Client Workstation, open the Control Panel.
Click Network and Internet. Click or double-click the Internet Options icon.
Under the internet Internet Properties window, click the Security tab.
Select the Local site's entry and click the Sites button.
Click Advanced and Enter the website in the Add this website to the zone text field. Click the Add button, then click OK to save.
Close the browser and start the browser.
Configure Mozilla or Firefox browser to use SPNEGO authentication
Open the browser.
At the address field, type about: config
In the filter, type network.n
Double-click network.negotiate-auth.trusted-uris. This preference lists the sites that are permitted to engage in SPNEGO Authentication with the browser.
Enter a comma-delimited list of trusted domains or URLs. For example, https://ramlinux1.fyre.ibm.com
Close the browser and start the browser.
7. Test the snoop application to validate the spnego on the Client Workstation.
Make sure you are logged in to the Windows AD domain from your client workstation, start your browser (IE, Chrome, or Firefox), and attempt to access the snoop servlet, by using the fully qualified hostname of the server (Example: https://ramlinux1.fyre.ibm.com:9443/snoop). It automatically logs in to your snoop URL without any authentication challenge.
In the snoop page with your window domain login user, the Authorization Header with spnego token details starts with YII and User principal name.
Useful link as follows
Single sign-on for HTTP requests using SPNEGO web authentication
SPNEGO Web authentication filter values
https://www.ibm.com/docs/en/was/9.0.5?topic=console-spnego-web-authentication-filter-values
Configuring the client browser to use SPNEGO
https://www.ibm.com/docs/en/was/9.0.5?topic=authentication-configuring-client-browser-use-spnego
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
01 November 2021
UID
ibm16431271