TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap

TAM STE Series 2008

WebSEAL SSO, Session 1 08/2008 © 2008 IBM Corporation

TAM STE Series 2008- WebSEAL SSO, Session 1

Presented by: Andrew Quap

© 2008 IBM Corporation2 WebSEAL SSO, Session 1

Itinerary for WebSEAL single-signon (SSO)

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)

CDSSO

eCDSSO


SPNEGO

Generic Security Service Application Program Interface (GSS-API)

– “an application programming interface for programs to access security services. “-wikipedia

– RFC 2478

– Describes a set of standard API’s

GSS-API can implement any security protocol

– GSS-API implementation of Kerberos is best known


SPNEGO

Microsoft started to use SPNEGO in IE 5.01 and IIS 5.0 as an authentication extension – wikipedia

– Requires the use of AD server acting as KDC

– Nowadays Microsoft markets the use of NTLM instead of SPNEGO

– Used to provide desktop single sign-on into IIS server

TAM WebSEAL SPNEGO allows users to SSO into WebSEAL


Kerberos basics

MIT Kerberos v5

RFC 1510

– Kerberos tickets

– Kerberos Realm

– KDC (Key Distribution Center)• Server that issues Kerberos tickets• Typically listen on port 88

For UNIX implementations “krb5.conf” contains Kerberos client configuration


Kerberos basics

keytab file

– Allows a service (ie a server) to automatically authenticate into Kerberos realm

‘kinit’ command

– Command used to authenticate a user into a Kerberos realm

• Input User/password• Or input keytab file


SPNEGO

SPNEGO uses GSS-API Kerberos implementation

WebSEAL and WebPI use the "HTTP Negotiate" extension defined by Microsoft.

Client Web Browser does HTTP request to WebSEAL.

WebSEAL returns HTTP 401 (Unauthorized) status and the following header: "WWW-Authenticate: Negotiate".

Client chooses a Service Principal Name for the host and calls InitializeSecurityContext() to generate a NegTokenInit token.


SPNEGO

Client resends the request with the following header: "Authorization: Negotiate <base64 encoding>" (e.g. Authorization: Negotiate YIIGUQY<remainder of base64 encoded string>).

WebSEAL decodes the NegTokenInit token.

WebSEAL verifies the encryption type and authenticates using gss_accept_sec_context.

The next step depends on what the gss_accept_sec_context function returns.


SPNEGO Flow All Entities share a secret key with the 3rd party

– Allows 3rd party to authenticate any known entity

– 3rd party can encrypt data for any known entity


WebSEAL SPNEGO configuration and setup

AD server typically is configured as TAM registry

– Can have separate LDAP server, but AD and LDAP server must be user synchronized

WebSEAL administration document, v6, on SPNEGO is very detailed.



WebSEAL installed on Windows OS

– ‘ktpass’ command creates Server Principal Names (SPN’s) in AD server

– Setup WebSEAL service to authenticate as new SPN

– The WebSEAL server must be configured as a client into the AD domain



WebSEAL installed on UNIX setup

– Requires keytab file generated from ‘ktpass’ command

– Modify WebSEAL configuration file to include principal name and keytab file

– Setup Kerberos client on WebSEAL machine



Supports load balanced WebSEAL setup

– WebSEAL admin guide details steps needed for basic setup, case does matter

– Forward and reverse lookup must match on the WebSEAL machine for the load balanced hostname

– WebSEAL on windows• The server instances must all be running under the same ID

– WebSEAL on UNIX• The servers must all share the same keytab


WebSEAL SPNEGO problem determination

Invoke ‘bst’ trace or per-process trace

Determine if Kerberos error

– Review Kerberos client config in ‘krb5.conf’

UNIX

– Ensure keytab file is valid

• Use ‘kinit’ test

Windows

– Ensure WebSEAL service authenticates as user created during ‘ktpass’ command


WebSEAL SPNEGO typical issues

TAM 6.0 provides SPNEGO problem determination guide

WebSEAL will not start

– Invoke per-process tracing

• Look for Kerberos error– Example of error



WebSEAL starts but user SSO fails

– Invoke ‘bst’ tracing

– Invoke network trace from end user’s browser

• Look for AD server response

– Check ‘krb5.conf’

• Make sure AD domain is defined or default• If WebSEAL domain is different from AD domain make sure

both domains are mapped

– Ensure trusted site is entered in IE browser



Multiple SPN’s mapped into WebSEAL AD account

– Issue only occurs when WebSEAL is installed on UNIX

– Must use ‘-mapOp set’ option for ktpass command.

– When you use ‘–mapOp set’ which is required to create a keytab it removes the other SPN’s that existed on the account

– One account per SPN when using Unix


WebSEAL SPNEGO limitations

Does not provide SSO into a IIS backend server

If SPNEGO fails, fallback using WebSEAL forms login requires IE fix

– WebSEAL’s NTLM error page can be modified for ‘pkmslogin’

– Use E-community SSO to login user

WebSEAL cannot handle NTLM responses from IE

SPNEGO clients cannot log out


Kerberos Junctions

Not SSO to WebSEAL, but SSO from WebSEAL to IIS


SPNEGO questions


Cross Domain Single Signon (CDSSO)

“A mechanism to transfer a user credentials between servers in different domains-”WebSEAL administration guide

Uses an encrypted token to transfer an user identity

– “token creation” creates and encrypts the token

– “token consumption” decrypts the token

Can use CDSSO between TAM Web plug-in and WebSEAL


Cross Domain Single Sign-on (CDSSO)

Supports cross-domain mapping framework (CDMF)

– Allows additional attributes to be encrypted in token in addition to user’s identity

– Provides the ability to customized CDSSO using TAM C-api’s


CDSSO configuration and setup

Configuring CDSSO token create functionality

– The following procedures are appropriate for the initial WebSEAL server• Enable WebSEAL to generate CDSSO tokens (cdsso-create). • Configure the built-in token creation module (sso-create). • Create the key file used to encode and decode the token.

Copy the key file to all appropriate participating servers ([cdsso-peers] stanza).

• Configure the token time stamp (authtoken-lifetime) • Configure the token label (cdsso-argument). • Create the CDSSO HTML link (/pkmscdsso?destination-URL).


CDSSO setup and configuration

Configuring CDSSO token consume functionality

– The following procedures are appropriate for the destination WebSEAL server:

• Enable WebSEAL to consume CDSSO tokens (cdsso-auth) for authentication.

• Configure the built-in token consumption module (sso-consume).

• Assign the appropriate key file ([cdsso-peers] stanza). • Configure the token time stamp (authtoken-lifetime) • Configure the token label (cdsso-argument).


CDSSO flow


CDSSO requirements

“All WebSEAL servers participating in CDSSO must have machine times synchronized.”-WebSEAL administration guide

“For CDSSO to function successfully, each participating WebSEAL server must reveal its fully qualified host name to the other participating servers in the cross-domain environment.”-WebSEAL administration guide


CDSSO requirements

“Do not reuse key pairs (used to encrypt and decrypt token data) generated for a specific CDSSO environment in any other CDSSO environments.” –WebSEAL administration guide


CDSSO problem determination

Determine if error occurs during “token creation” or “token consumption”

Enable specific CDSSO tracing pdweb.wan.cdsso

Enable ‘pdweb.snoop’ trace

Analyze ‘msg__WebSEALd-<instance name>.log’

Is customer using default libraries


CDSSO typical issues

Time issues different timezones not setup correctly or skew

Mismatched keys

CDSSO peers incorrectly set up


CDSSO limitations

UTF-8 encoding for strings

Providing compatibility for tokens across WebSEAL versions


CDSSO questions


E-community Single Sign-on (ECSSO)

Concept is similar to CDSSO

Master authentication server (MAS) provides single point for authentication

– WebSEAL and WebPI provides MAS functionality

Domain-specific cookies are used to identify the server that can provide "vouch for" services

The e-community implementation allows for "local" authentication in remote domains


eCDSSO flow


ECSSO setup and configuration

Enabling and Disabling e-Community Members

Including credential attributes in the vouch-for tokens

Specify the sso-create and sso-consume libraries


ECSSO problem determination

Determine if error occurs during “token creation” or “token consumption”

Enable ‘pdweb.snoop’ trace on servers involved

Analyze ‘msg__WebSEALd-<instance name>.log


ECSSO typical issues

Time issues different timezones not setup correctly or skew

Mismatched keys

ECDSSO domains incorrectly set up


ECSSO limitations

One server, or group, provides authentication for a group of servers

– Each server can still do local authentication


eCDSSO questions

Documents

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap