single sign on l.
Skip this Video
Loading SlideShow in 5 Seconds..
Single Sign-on PowerPoint Presentation
Download Presentation
Single Sign-on

Loading in 2 Seconds...

play fullscreen
1 / 46

Single Sign-on - PowerPoint PPT Presentation

  • Uploaded on

Single Sign-on Agenda Motivations for Windows Linux SSO Choosing an Architecture Implementation Strategies Walkthrough Goals of SSO Enhance user experience Improve security and compliance Reduce IdM costs

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Single Sign-on

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  • Motivations for Windows Linux SSO
  • Choosing an Architecture
  • Implementation Strategies
  • Walkthrough
goals of sso
Goals of SSO
  • Enhance user experience
  • Improve security and compliance
  • Reduce IdM costs
  • But getting true SSO is really, really hard. Reduced Sign On (RSO) is much more realistic.
choosing an architecture
Choosing an Architecture
  • Enterprise SSO
  • Kerberos
  • Identity Federation
    • WS-Federation
    • SAML 2.0
  • Metadirectory/Virtual Directory
enterprise sso
Enterprise SSO
  • Caches credentials on the local machine or on a shared server
  • Doesn’t require much change to infrastructure or applications
  • Requires creation of adapters for each application
  • Doesn’t reduce IdM costs that much
  • Secure authentication protocol designed to provide single-signon
  • Standardized via RFCs and implementation
  • Single credential store to manage
  • Difficult to implement across security domains
  • Not designed to accommodate additional ID information
federated identity systems
Federated Identity Systems
  • SAML v2
  • WS-Federation
  • Focused on Web SSO
  • Leaves existing identity technologies in place
  • Relatively new
  • Requires establishment and management of trust relationships
metadirectory virtual directory
Metadirectory/Virtual Directory
  • Doesn’t by itself produce SSO experience
  • Requires no change to existing application infrastructure
  • Potentially reduces IdM overhead
  • Potentially complex infrastructure
windows authentication mechanisms
Windows Authentication Mechanisms
  • NTLM v2
    • Not terribly secure
    • Generally understood only by Windows resources
  • Kerberos v5
    • Quite secure
    • Provided by Active Directory
linux authentication mechanisms
Linux Authentication Mechanisms
  • /etc/passwd, /etc/shadow
  • NIS, NIS+
  • LDAP
  • Kerberos
kerberos implementations for linux
Kerberos Implementations for Linux
  • MIT Kerberos v5
    • De-facto standard
    • Included with most every Linux distribution
  • Heimdal
    • European implementation to avoid export restrictions on strong encryption
linux pam
Linux PAM
  • Standard API for authentication-related functions
  • Pluggable modules to provide different authentication mechanisms
  • Configured on an application-by application basis in /etc/pam.d
pam services
PAM Services
  • Account
    • Does the account exist?
  • Authentication
    • Is the user who they say they are?
  • Password
    • Password policy and password change
  • Session
    • Session setup and configuration
pam configuration
PAM Configuration
  • /etc/pam.d/<application name>
  • system-auth
linux nss
Linux NSS
  • Name to uid mapping
  • Group memberships
  • Home directory
  • Shell
samba project
Samba Project
  • Free/Open source project that helps integrate Windows and Linux
  • SMB/CIFS server and clients
  • Windows/Linux printing
  • NTLMv2 and Kerberos authentication
samba windbind
Samba windbind
  • Daemon that manages domain-related communication to a DC
  • Includes PAM and NSS modules for integration
  • Added to system startup, e.g. /etc/rc.d/init.d
a note on id mapping
A Note on ID Mapping
  • Samba provides for several mechanisms
    • Store uid/gid and SID in local .tdb database
    • Store uid/gid in an LDAP store
    • Calculate uid/gid from SID
    • Store uid/gid in Active Directory
our sso strategy



Our SSO Strategy

Linux client

Windows client

implementing pam winbind
Implementing PAM winbind
  • Extend Active Directory to support Linux
  • Prep Linux environment
  • Build, install and configure winbindd
  • Configure PAM/NSS to use Active Directory
extending the schema
Extending the Schema
  • RFC 2307 specifies NIS representation in LDAP
  • WS2K3 R2 has it built-in to user object
  • RFC 2307 aux class schema extension for WS2K3
  • SFU schema extension for Windows 2000
    • But, names and OIDs are not 2307 compliant
prep linux environment
Prep Linux Environment
  • # system-config-network
  • Make sure host name is set properly with same domain name as AD
  • Make sure DNS resolver is set to AD DNS namespace
building 3 0 23c winbindd
Building 3.0.23c winbindd
  • Download and install Samba source RPM 3.0.23c
    • # rpm –i samba-3.0.23c-4.src.rpm
  • Edit the /usr/src/redhat/SPECS/samba3.spec
    • Add idmap_ad to --with-shared-modules option
  • Build Samba
    • # rpmbuild –bb SPECS/samba3.spec
    • Binary RPM will be in /usr/src/redhat/RPMS/i386
remove and reinstall samba
Remove and Reinstall Samba
  • Upgrade Samba
    • # rpm -e samba-common
    • # rpm -e samba-client
    • # rpm -e samba-swat
    • # rpm -e system-config-samba
    • # rpm -i samba-3.0.23c-4.i386.rpm
configuring pam to use winbind
Configuring PAM to Use Winbind
  • Make sure selinux is disabled
    • # system-config-securitylevel
  • Enable PAM winbind support
    • # system-config-authentication
    • Enable Winbind for User Information
    • Enable Winbind for Authentication
    • Add pam_mkhomedir skel=/etc/skel umask=0077 to /etc/system-auth
configuring winbind
Configuring Winbind
  • Configure winbind dialog
    • # system-config-authentication
    • Domain name (short) in ALL CAPS
    • Security model ADS
    • Realm is DNS name of Active Directory domain
    • DCs are FQ DNS host names of DC
    • Shell…
  • Edit /etc/samba/smb.conf
    • Add idmap backend = ad to global section
  • Add home directory
    • # mkdir /home/<DOMAINNAME>
  • Restart winbind daemon
    • # service winbind restart
making it work
Making it Work
  • Join the machine to the domain
    • # net ads join -U <administrator>
  • Check connectivity
    • # wbinfo -t
  • List domain users
    • # wbinfo -u
  • List domain groups
    • # wbinfo -g
linuxifying users and groups
Linuxifying Users and Groups
  • Every user must have a unique value for uidNumber attribute
  • Every user must have a value for gidNumber
  • Every group should have a unique value for gidNumber attribute
  • Domain Users group must have gidNumber defined
figuring out what went wrong
Figuring Out What Went Wrong
  • Syslog (/var/logs/messages)
  • /var/logs/samba/winbind.log
  • Set debug level in /etc/rc.d/init.d/winbind 1-10
    • # service winbind restart
  • Enable auth logging on the domain controller
what do you get
What Do You Get?
  • Ability to manage all users in AD
  • Solve the unique identifier problem while getting rid of NIS
  • Consolidated authentication audit logs
  • Ability to provide your Linux users access to Windows resources like shares and printers
  • Source code!
what s missing
What’s Missing?
  • Ease of installation and configuration
  • Authoritative support
  • Group Policy management of Linux
  • Web SSO
    • mod_auth_pam
    • mod_auth_kerb
    • …or ADFS and mod_auth_adfs from PING
  • Scalability?
centrify directcontrol
Centrify DirectControl
  • Supports 60+ platforms including Mac
  • Instant AD integration using Kerberos/LDAP and WS-Federation (ADFS)
  • Support for Apache and J2EE as well
  • GPO management of non-Windows platforms
  • Group Linux machines into Zones to organize authentication and management
  • No schema changes needed
vintela authentication services
Vintela Authentication Services
  • Supports 75+ platforms
    • … but not Mac
  • Instant AD integration using Kerberos/LDAP and WS-Federation (ADFS)
  • Support for Apache and J2EE as well
  • GPO management of Linux/Unix platforms
  • LDAP proxy for secure LDAP connections
  • Linux/Unix “personalities”
  • Uses standard RFC 2307 schema attributes
  • SSO Strategies
  • SSO Architectures
  • Linux Authentication
  • Configuring Linux to Use Active Directory


directory experts conference
Directory Experts Conference
  • Microsoft Identity and Access Technologies
  • April 21-24
  • Las Vegas
Thank You!

Gil Kirkpatrick

CTO, NetPro