Tam ste series 2008 webseal sso session 1
This presentation is the property of its rightful owner.
Sponsored Links
1 / 38

TAM STE Series 2008 - WebSEAL SSO, Session 1 PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on
  • Presentation posted in: General

TAM STE Series 2008 - WebSEAL SSO, Session 1. Presented by: Andrew Quap. Itinerary for WebSEAL single-signon (SSO). Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) CDSSO eCDSSO. SPNEGO. Generic Security Service Application Program Interface (GSS-API)

Download Presentation

TAM STE Series 2008 - WebSEAL SSO, Session 1

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Tam ste series 2008 webseal sso session 1

TAM STE Series 2008- WebSEAL SSO, Session 1

Presented by: Andrew Quap

WebSEAL SSO, Session 1


Itinerary for webseal single signon sso

Itinerary for WebSEAL single-signon (SSO)

  • Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)

  • CDSSO

  • eCDSSO

WebSEAL SSO, Session 1


Spnego

SPNEGO

  • Generic Security Service Application Program Interface (GSS-API)

    • “an application programming interface for programs to access security services. “-wikipedia

    • RFC 2478

    • Describes a set of standard API’s

  • GSS-API can implement any security protocol

    • GSS-API implementation of Kerberos is best known

WebSEAL SSO, Session 1


Spnego1

SPNEGO

  • Microsoft started to use SPNEGO in IE 5.01 and IIS 5.0 as an authentication extension – wikipedia

    • Requires the use of AD server acting as KDC

    • Nowadays Microsoft markets the use of NTLM instead of SPNEGO

    • Used to provide desktop single sign-on into IIS server

  • TAM WebSEAL SPNEGO allows users to SSO into WebSEAL

WebSEAL SSO, Session 1


Kerberos basics

Kerberos basics

  • MIT Kerberos v5

  • RFC 1510

    • Kerberos tickets

    • Kerberos Realm

    • KDC (Key Distribution Center)

      • Server that issues Kerberos tickets

      • Typically listen on port 88

  • For UNIX implementations “krb5.conf” contains Kerberos client configuration

WebSEAL SSO, Session 1


Kerberos basics1

Kerberos basics

  • keytab file

    • Allows a service (ie a server) to automatically authenticate into Kerberos realm

  • ‘kinit’ command

    • Command used to authenticate a user into a Kerberos realm

      • Input User/password

      • Or input keytab file

WebSEAL SSO, Session 1


Spnego2

SPNEGO

  • SPNEGO uses GSS-API Kerberos implementation

  • WebSEAL and WebPI use the "HTTP Negotiate" extension defined by Microsoft.

  • Client Web Browser does HTTP request to WebSEAL.

  • WebSEAL returns HTTP 401 (Unauthorized) status and the following header: "WWW-Authenticate: Negotiate".

  • Client chooses a Service Principal Name for the host and calls InitializeSecurityContext() to generate a NegTokenInit token.

WebSEAL SSO, Session 1


Spnego3

SPNEGO

  • Client resends the request with the following header: "Authorization: Negotiate <base64 encoding>" (e.g. Authorization: Negotiate YIIGUQY<remainder of base64 encoded string>).

  • WebSEAL decodes the NegTokenInit token.

  • WebSEAL verifies the encryption type and authenticates using gss_accept_sec_context.

  • The next step depends on what the gss_accept_sec_context function returns.

WebSEAL SSO, Session 1


Spnego flow

SPNEGO Flow

  • All Entities share a secret key with the 3rd party

    • Allows 3rd party to authenticate any known entity

    • 3rd party can encrypt data for any known entity

WebSEAL SSO, Session 1


Webseal spnego configuration and setup

WebSEAL SPNEGO configuration and setup

  • AD server typically is configured as TAM registry

    • Can have separate LDAP server, but AD and LDAP server must be user synchronized

  • WebSEAL administration document, v6, on SPNEGO is very detailed.

WebSEAL SSO, Session 1


Webseal spnego configuration and setup1

WebSEAL SPNEGO configuration and setup

  • WebSEAL installed on Windows OS

    • ‘ktpass’ command creates Server Principal Names (SPN’s) in AD server

    • Setup WebSEAL service to authenticate as new SPN

    • The WebSEAL server must be configured as a client into the AD domain

WebSEAL SSO, Session 1


Webseal spnego configuration and setup2

WebSEAL SPNEGO configuration and setup

  • WebSEAL installed on UNIX setup

    • Requires keytab file generated from ‘ktpass’ command

    • Modify WebSEAL configuration file to include principal name and keytab file

    • Setup Kerberos client on WebSEAL machine

WebSEAL SSO, Session 1


Webseal spnego configuration and setup3

WebSEAL SPNEGO configuration and setup

  • Supports load balanced WebSEAL setup

    • WebSEAL admin guide details steps needed for basic setup, case does matter

    • Forward and reverse lookup must match on the WebSEAL machine for the load balanced hostname

    • WebSEAL on windows

      • The server instances must all be running under the same ID

    • WebSEAL on UNIX

      • The servers must all share the same keytab

WebSEAL SSO, Session 1


Webseal spnego problem determination

WebSEAL SPNEGO problem determination

  • Invoke ‘bst’ trace or per-process trace

  • Determine if Kerberos error

    • Review Kerberos client config in ‘krb5.conf’

  • UNIX

    • Ensure keytab file is valid

      • Use ‘kinit’ test

  • Windows

    • Ensure WebSEAL service authenticates as user created during ‘ktpass’ command

WebSEAL SSO, Session 1


Webseal spnego typical issues

WebSEAL SPNEGO typical issues

  • TAM 6.0 provides SPNEGO problem determination guide

  • WebSEAL will not start

    • Invoke per-process tracing

      • Look for Kerberos error

        • Example of error

WebSEAL SSO, Session 1


Webseal spnego typical issues1

WebSEAL SPNEGO typical issues

  • WebSEAL starts but user SSO fails

    • Invoke ‘bst’ tracing

    • Invoke network trace from end user’s browser

      • Look for AD server response

    • Check ‘krb5.conf’

      • Make sure AD domain is defined or default

      • If WebSEAL domain is different from AD domain make sure both domains are mapped

    • Ensure trusted site is entered in IE browser

WebSEAL SSO, Session 1


Webseal spnego typical issues2

WebSEAL SPNEGO typical issues

  • Multiple SPN’s mapped into WebSEAL AD account

    • Issue only occurs when WebSEAL is installed on UNIX

    • Must use ‘-mapOp set’ option for ktpass command.

    • When you use ‘–mapOp set’ which is required to create a keytab it removes the other SPN’s that existed on the account

    • One account per SPN when using Unix

WebSEAL SSO, Session 1


Webseal spnego limitations

WebSEAL SPNEGO limitations

  • Does not provide SSO into a IIS backend server

  • If SPNEGO fails, fallback using WebSEAL forms login requires IE fix

    • WebSEAL’s NTLM error page can be modified for ‘pkmslogin’

    • Use E-community SSO to login user

  • WebSEAL cannot handle NTLM responses from IE

  • SPNEGO clients cannot log out

WebSEAL SSO, Session 1


Kerberos junctions

Kerberos Junctions

  • Not SSO to WebSEAL, but SSO from WebSEAL to IIS

WebSEAL SSO, Session 1


Spnego questions

SPNEGO questions

WebSEAL SSO, Session 1


Cross domain single signon cdsso

Cross Domain Single Signon (CDSSO)

  • “A mechanism to transfer a user credentials between servers in different domains-”WebSEAL administration guide

  • Uses an encrypted token to transfer an user identity

    • “token creation” creates and encrypts the token

    • “token consumption” decrypts the token

  • Can use CDSSO between TAM Web plug-in and WebSEAL

WebSEAL SSO, Session 1


Cross domain single sign on cdsso

Cross Domain Single Sign-on (CDSSO)

  • Supports cross-domain mapping framework (CDMF)

    • Allows additional attributes to be encrypted in token in addition to user’s identity

    • Provides the ability to customized CDSSO using TAM C-api’s

WebSEAL SSO, Session 1


Cdsso configuration and setup

CDSSO configuration and setup

  • Configuring CDSSO token create functionality

    • The following procedures are appropriate for the initial WebSEAL server

      • Enable WebSEAL to generate CDSSO tokens (cdsso-create).

      • Configure the built-in token creation module (sso-create).

      • Create the key file used to encode and decode the token. Copy the key file to all appropriate participating servers ([cdsso-peers] stanza).

      • Configure the token time stamp (authtoken-lifetime)

      • Configure the token label (cdsso-argument).

      • Create the CDSSO HTML link (/pkmscdsso?destination-URL).

WebSEAL SSO, Session 1


Cdsso setup and configuration

CDSSO setup and configuration

  • Configuring CDSSO token consume functionality

    • The following procedures are appropriate for the destination WebSEAL server:

      • Enable WebSEAL to consume CDSSO tokens (cdsso-auth) for authentication.

      • Configure the built-in token consumption module (sso-consume).

      • Assign the appropriate key file ([cdsso-peers] stanza).

      • Configure the token time stamp (authtoken-lifetime)

      • Configure the token label (cdsso-argument).

WebSEAL SSO, Session 1


Cdsso flow

CDSSO flow

WebSEAL SSO, Session 1


Cdsso requirements

CDSSO requirements

  • “All WebSEAL servers participating in CDSSO must have machine times synchronized.”-WebSEAL administration guide

  • “For CDSSO to function successfully, each participating WebSEAL server must reveal its fully qualified host name to the other participating servers in the cross-domain environment.”-WebSEAL administration guide

WebSEAL SSO, Session 1


Cdsso requirements1

CDSSO requirements

  • “Do not reuse key pairs (used to encrypt and decrypt token data) generated for a specific CDSSO environment in any other CDSSO environments.” –WebSEAL administration guide

WebSEAL SSO, Session 1


Cdsso problem determination

CDSSO problem determination

  • Determine if error occurs during “token creation” or “token consumption”

  • Enable specific CDSSO tracing pdweb.wan.cdsso

  • Enable ‘pdweb.snoop’ trace

  • Analyze ‘msg__WebSEALd-<instance name>.log’

  • Is customer using default libraries

WebSEAL SSO, Session 1


Cdsso typical issues

CDSSO typical issues

  • Time issues different timezones not setup correctly or skew

  • Mismatched keys

  • CDSSO peers incorrectly set up

WebSEAL SSO, Session 1


Cdsso limitations

CDSSO limitations

  • UTF-8 encoding for strings

  • Providing compatibility for tokens across WebSEAL versions

WebSEAL SSO, Session 1


Cdsso questions

CDSSO questions

WebSEAL SSO, Session 1


E community single sign on ecsso

E-community Single Sign-on (ECSSO)

  • Concept is similar to CDSSO

  • Master authentication server (MAS) provides single point for authentication

    • WebSEAL and WebPI provides MAS functionality

  • Domain-specific cookies are used to identify the server that can provide "vouch for" services

  • The e-community implementation allows for "local" authentication in remote domains

WebSEAL SSO, Session 1


Ecdsso flow

eCDSSO flow

WebSEAL SSO, Session 1


Ecsso setup and configuration

ECSSO setup and configuration

  • Enabling and Disabling e-Community Members

  • Including credential attributes in the vouch-for tokens

  • Specify the sso-create and sso-consume libraries

WebSEAL SSO, Session 1


Ecsso problem determination

ECSSO problem determination

  • Determine if error occurs during “token creation” or “token consumption”

  • Enable ‘pdweb.snoop’ trace on servers involved

  • Analyze ‘msg__WebSEALd-<instance name>.log

WebSEAL SSO, Session 1


Ecsso typical issues

ECSSO typical issues

  • Time issues different timezones not setup correctly or skew

  • Mismatched keys

  • ECDSSO domains incorrectly set up

WebSEAL SSO, Session 1


Ecsso limitations

ECSSO limitations

  • One server, or group, provides authentication for a group of servers

    • Each server can still do local authentication

WebSEAL SSO, Session 1


Ecdsso questions

eCDSSO questions

WebSEAL SSO, Session 1


  • Login