Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:sso_ad_domain [2018/09/10 08:07] fiserp [Troubleshooting] |
tutorial:adm:sso_ad_domain [2020/01/13 12:01] doischert |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== SSO to AD domain ====== | ||
+ | CzechIdM supports Single-Sign-On of the AD domain users. The mechanism uses web server, which handles the Kerberos authentication and provides the login of the authenticated user in the HTTP header. Then CzechIdM processes this header and authenticates the user automatically. | ||
+ | |||
+ | If the user is the Application Admin (e.g. has assigned the role superAdminRole), | ||
+ | |||
+ | This tutorial shows how to configure an Apache web server and enable SSO in CzechIdM. | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | During the tutorial, we use the name of the AD domain '' | ||
+ | |||
+ | ===== AD - configure a new service ===== | ||
+ | |||
+ | A new service for CzechIdM must be configured in AD. The service must be linked to a specific user. We recommend using only one user per one service (linking multiple services to one user is theoretically possible, but linking one service to multiple users breaks the Kerberos authentication). | ||
+ | |||
+ | Create a new AD user (no special privileges required), e.g. " | ||
+ | |||
+ | Choose the name of the service: '' | ||
+ | |||
+ | In AD domain controller, start the CMD and generate the keytab: | ||
+ | < | ||
+ | ktpass -out idm.company.keytab -princ HTTP/ | ||
+ | </ | ||
+ | The command will prompt for a password. | ||
+ | |||
+ | Download the generated file idm.company.keytab, | ||
+ | |||
+ | ===== Configure Apache httpd - Linux ===== | ||
+ | |||
+ | We expect that Apache is installed according to the [[tutorial: | ||
+ | |||
+ | Install mod\_auth\_kerb: | ||
+ | <code bash> | ||
+ | yum install mod_auth_kerb | ||
+ | </ | ||
+ | |||
+ | Put the file '' | ||
+ | <code bash> | ||
+ | mkdir / | ||
+ | chmod 755 / | ||
+ | mv idm.company.keytab / | ||
+ | chown apache: | ||
+ | chmod 600 / | ||
+ | </ | ||
+ | |||
+ | Configure Kerberos realm in ''/ | ||
+ | < | ||
+ | [logging] | ||
+ | | ||
+ | kdc = FILE:/ | ||
+ | | ||
+ | |||
+ | [libdefaults] | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | [realms] | ||
+ | | ||
+ | kdc = dc.company.cz | ||
+ | admin_server = dc.company.cz | ||
+ | } | ||
+ | |||
+ | [domain_realm] | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | Check that the keytab works: | ||
+ | <code bash> | ||
+ | yum install krb5-workstation | ||
+ | kinit -k -t / | ||
+ | klist -e | ||
+ | </ | ||
+ | |||
+ | Edit proxy settings in the ''/ | ||
+ | < | ||
+ | change this: | ||
+ | ProxyPass / ajp:// | ||
+ | ProxyPassReverse / ajp:// | ||
+ | |||
+ | to this: | ||
+ | ProxyPass /idm/ ajp:// | ||
+ | ProxyPassReverse /idm/ ajp:// | ||
+ | </ | ||
+ | |||
+ | Add Kerberos configuration and setting the '' | ||
+ | < | ||
+ | < | ||
+ | AuthName " | ||
+ | AuthType Kerberos | ||
+ | KrbMethodNegotiate On | ||
+ | KrbMethodK5Passwd On | ||
+ | KrbAuthRealms COMPANY.CZ | ||
+ | KrbServiceName HTTP/ | ||
+ | Krb5KeyTab / | ||
+ | require valid-user | ||
+ | </ | ||
+ | |||
+ | | ||
+ | |||
+ | < | ||
+ | Satisfy Any | ||
+ | </ | ||
+ | </ | ||
+ | This configuration enables **Negotiate** (the users logged in domain computer will be automatically authenticated - this must be enabled in the browser), as well as **Basic Auth** (the user, who is not logged in domain computer, will be first prompted for username and password with the message " | ||
+ | |||
+ | Restart httpd service: | ||
+ | <code bash> | ||
+ | systemctl restart httpd | ||
+ | </ | ||
+ | |||
+ | ===== Enable authentication in browsers ===== | ||
+ | |||
+ | Sending of Kerberos tickets (the method Negotiate) must be enabled in the browsers, otherwise the automatic authentication wouldn' | ||
+ | |||
+ | **Internet Explorer**: | ||
+ | * Internet Options - Security - Trusted Sites - add https:// | ||
+ | * FIXME is this necessary as well?: Internet Options - Security - Local Intranet Zone - Custom - User Authentication - Logon - Automatic logon with current user name and password | ||
+ | * IE setup for Automatic logon: | ||
+ | {{ : | ||
+ | |||
+ | <note tip> | ||
+ | Internet Explorer doesn' | ||
+ | </ | ||
+ | |||
+ | **Mozilla Firefox**: | ||
+ | * go to about: | ||
+ | * network.negotiate-auth.trusted-uris - add https:// | ||
+ | |||
+ | For more information about browsers see https:// | ||
+ | |||
+ | ===== Enable SSO in CzechIdM ===== | ||
+ | |||
+ | SSO must be enabled in IdM configuration. Set the following to the '' | ||
+ | < | ||
+ | idm.sec.core.authentication-filter.core-sso-authentication-filter.enabled=true | ||
+ | idm.sec.core.authentication-filter.core-sso-authentication-filter.header-name=REMOTE_USER | ||
+ | idm.sec.core.authentication-filter.core-sso-authentication-filter.uid-suffixes=@COMPANY.CZ | ||
+ | </ | ||
+ | |||
+ | All configuration properties for SSO are described here: [[devel: | ||
+ | < | ||
+ | |||
+ | <note important> | ||
+ | ===== Troubleshooting ===== | ||
+ | |||
+ | General things to check: | ||
+ | * The service principal name must be linked **only to one** user in AD. | ||
+ | * The keytab shouldn' | ||
+ | |||
+ | Usual messages in Apache error log: | ||
+ | * '' | ||
+ | <code bash> | ||
+ | telnet dc.company.cz 88 | ||
+ | </ | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | < | ||
+ | $ klist -k / | ||
+ | Keytab name: FILE:/ | ||
+ | KVNO Principal | ||
+ | ---- -------------------------------------------------------------------------- | ||
+ | 5 HTTP/ | ||
+ | 5 HTTP/ | ||
+ | 5 HTTP/ | ||
+ | 5 HTTP/ | ||
+ | 5 HTTP/ | ||
+ | |||
+ | $ kinit -k -t / | ||
+ | $ kvno HTTP/ | ||
+ | HTTP/ | ||
+ | </ | ||
+ | * '' | ||
+ | |||
+ | ===== See also ===== | ||
+ | [[9.7: |