What is Kerberos?
Kerberos aka “kərbərəs” is a computer network authentication protocol which works on the basis of ‘tickets’ to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model and it provides mutual authentication—both the user and the server verify each other’s identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.
Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography during certain phases of authentication. Kerberos uses UDP port 88 by default.
Doesn’t matter which web application solution- If falls under JAAS—>SPNEGO
–Kerberos is the solution!!
Break Down Incorporate Kerberos in your organization.
Why using cumbersome 3rd party authentication Solutions?
Which is best meets Application Authentication Model?
SSO or Form Base?
Web Application XML method to save your organization $$$$$$?
How does Kerberos protocol works
The Web Server has to hand-shake with browser to obtain kerberos token. The token can be validated against keytab file or connecting through Active Directory.
The below diagram explains how the handshake happens between browser and webserver to obtain kerberos token for authentication.
In this article I am going to talk about implementing Single-Sign-On in Java platform (i.e. JAAS) using Active Directory through Kerberos protocol for web-based products/applications.
I used below softwares:
JDK 1.6 – (previous version doesn’t support SPNEGO Kerberos protocol)
Windows 2003 Server with Active Directory
Windows XP with Internet Explorer 7 for client machine
Tomcat 6.0 Web Server
The following information are required from your system administrators.
- Active Directory server ip address or hostname.
- Your complete domain name in the active directory. (Example. )
Create a Server Name Alias
You have to create a server alias for WebServer to interact with ActiveDirectory for SSO token validation. Create a user called testsso and set “Password never expires” as checked. Assign a password for testsso user we will be using this password in Java coding later.
Create a Service Name
The account you created in the previous is meant to be used as an Kerberos HTTP service for the We Server. This is done in using the setspn command line tool that manages SPNs (Service Principal Name) in the Active Directory.
[More information on Setspn: http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx].
You would need to add (-a) an SPN for such an account, associating it with the fully qualified server alias name. For example:
setspn -a HTTP/testsso
You could see it has been successfully created listing (-l) the SPNs available for such account:
setspn -l testsso
Note: this command line utility might not be available in your OS and you should have to download it from Microsoft site.
You can do a basic Kerberos check using kinit tool. From one of the computers in your network that have access to the KDC (Key Distribution Center), in Windows is usually the Domain Controller, check the following using your user account (ex: testsso@):
If everything is ok, the command will ask you for your domain password and terminates without an error message. This command will show you the initial ticket you got from the KDC if you execute it without any argument.
Create jaas.conf file
Create afile and place in c:\ location.
Finally the most awaited test JSP file
ACTIVE_DIRECTORY_SERVER = “<hostname/ipaddress>”;
DEAULT_DOMAIN = “<the default domain>”;
SP_PASSWORD = “<server-principal-password>”;
The best way to implement Single-Sign-On is using servlet; for easy of testing at your environment I made it as JSP. Once you get this sample code working in your environment you can nicely integrate into your framework.
- Make sure setspn url is uniquely associated to one active directory user.
- Internet Explorer should be able to identify your site as Intranet site. If not change the IE setting to make it as intranet site.
- Kerberos requires the clocks of the involved hosts to be synchronized.
- Always specify domain names in upper case. Example testsso@
OC4J / OracleAS
OC4J will not recognizehence you need to update file for custom provider. Find more information in below link:
MS Kerberos Explanation
MIT Founder and Developed Kerberos