How does SSO with Active Directory work whereby users are transparently logged in to an intranet web app?

authentication active-directory single-sign-on pki
85,965

Solution 1

First of all - and in case other users happen to visit this page - there are only certain authentication methods that allow you to do promptless SSO. These are NTLM and Kerberos. LDAP - on the other hand - will never give you promptless SSO.

NTLM is actually NTLMv1 and NTLMv2. These are very different and NTLMv1 is deprecated because of serious security issues. You should shy away from Java authentication solutions that fail to correctly identify if they support NTLMv1 or NTLMv2 because they only use the word "NTLM" in their documentation. Chances are the developer's of said security solution don't know themselves which is all the more reason to look for the fire escape.

Contrary to traditional belief both NTLMv1 and NTLMv2 are fully documented by Microsoft but you will still find solutions that claim to have 'reverse engineered' the protocol. It is true that this was needed prior to Microsoft documenting the protocols I believe around 2006 or 2007. Anyway NTLMv1 is a no-no. There's nothing wrong with NTLMv2 per-se but Microsoft has been phasing out NTLM (in any form) in all of its products in favour of Kerberos authentication. NTLMv1 is long dead and NTLMv2 is now only used by Microsoft in cases where no Domain Controller is available. Bottom line: NTLM (in any form) is not really the way forward. We should actually salute Microsoft for taking a standards based approach here.

This leaves you with Kerberos. Microsoft has created a protocol for negotiating and transporting authentication information over HTTP. This is known in Microsoft products as "Integrated Windows Authentication" but it has been nailed down as an official standard under the name of SPNEGO. This is what you should be looking for. SPNEGO supports both NTLMv2 and Kerberos as the underlying authentication mechanism but for the above reasons you should be targeting Kerberos rather than NTLMv2.

I've successfully integrated several Tomcat applications (running on Linux/Solaris) with Active Directory using the SPNEGO Project at SourceForge. I've found this to be the simplest approach. This gives you promptless SSO similar to what for example a Sharepoint server does. This is most likely what your users will expect when talking about 'SSO'. Getting the Kerberos configuration right, generating keys and setting up 'dummy' accounts in Active Directory can be a hassle but once you get it right it works like a charm.

The only thing I do not like about the SPNEGO Project at SourceForge is that I do not understand how often it performs the authentication. My nasty suspicion is that it does it for every page view rather than once for each session. Perhaps I'm wrong in this. Anyway: this highlights another thing to consider in SSO solutions: you don't want to implement a solution that 'spams' your identity provider (say Active Directory) with unnecessary requests.

Solution 2

In a Windows Active Directory environment, Single Sign On is used to mean visiting an internal web page carries your Windows login permissions and the web server can act on them. It is something NTLM is used for, but newer implementations use Kerberos instead.

If you open a Sharepoint Server website it knows who you are without needing a login username and password, but this works only for internal websites on the same network, I don't think it makes much sense for it to work on a public website. (I can't tell if you mean "virtual host" as in an Apache vhost or as in an outsourced hosted server).

Here is a Microsoft document describing how Kerberos authentication works to a web server running IIS / ASP.Net: http://msdn.microsoft.com/en-us/library/ff647076.aspx

It looks possible to do with Apache/Tomcat/Java. Here is a PDF describing a UK University implementation of that: http://gfivo.ncl.ac.uk/documents/UsingKerberosticketsfortrueSingleSignOn.pdf and a Codeplex project for it: http://tomcatspnego.codeplex.com/ and Openfire have some documentation to do with generally working with Java/Kerberos here (http://community.igniterealtime.org/docs/DOC-1060 ).

Share:
85,965

Related videos on Youtube

blak3r
Author by

blak3r

Personal Website: http://www.blakerobertson.com

Updated on September 18, 2022

Comments

  • blak3r
    blak3r over 1 year

    I'm told that it's possible to make a web application that does not require a login. The user logs in to Windows, which authenticates via an Active Directory (LDAP) Lookup. Then, they should be able to go to my webapp and never see a login prompt. These customers have been referring to this as Single Sign On (perhaps incorrectly and part of my confusion).

    But, from what I read Single Sign On from the Tomcat docs is:

    The Single Sign On Valve is utilized when you wish to give users the ability to sign on to any one of the web applications associated with your virtual host, and then have their identity recognized by all other web applications on the same virtual host.

    This is perfectly clear to me. User has to login once and can access every webapp on an instance of tomcat. But, what I need to do is somehow let them login without ever providing any credentials to my tomcat server.

    So, in order for this to work I imagine:

    • User makes request for some page
    • Server sees no session token and then request the client for some credentials.
    • The clients browser without any intervention from the user provides some credentials to the server.
    • Then, using those credentials provided by the clients browser it does a lookup in an LDAP.

    I've seen some examples which use client side certificates... particularly the DoD PKI system which makes some sense to me because in those cases you configure Tomcat to request client side certs, but just logging into windows I don't see how this would work and what information the browser would pass to the server etc. Is this what NTLM is used for?

  • Admin
    Admin almost 13 years
    No they don't. See the big picture, thanks to Kerberos the user enters his credentials once manually and after that every login happens automatically on his behalf. This does not mean that no login happens at all then. This is what you wrote.
  • blak3r
    blak3r almost 11 years
    Thanks, made this the accepted answer. One thing to add to your list of promptless logins is x509 certificate logins... Like the government CAC cards.
  • Tim S.
    Tim S. almost 5 years
    This is a fantastic answer, even if it's 6 years old! I'd upvote x10 if I could!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Java SSO: Kerberos authentication against Active Directory
Sample cypress script to bypass SSO
How to integrate Azure AD SSO in flutter app
Authenticate Oracle Database with Active Directory Users
C# / ASP.NET / AD - "The specified directory service attribute or value does not exist."
C# netcore ldap authentication using Novell.Directory.Ldap.NETStandard library
Single Sign On with apache on windows 7 and mod_auth_sspi
How to check AD user credentials when the user password is expired or "user must change password at next logon"
Auto Signin with Active Directory Account in c# ASP.Net Website
SVN + SASL + ActiveDirectory: How to