HTTP/SPNEGO for "SSO" on MS Windows
HTTP/SPNEGO for "SSO" on MS Windows
Hi all of you !
The scene is simple : I got a software (All in plain java ) and some simple web access to this system. ( it's not a real web server wich will be in need for Apache or some big container it's just a few access to some informations of the software )
The client company is all MS Windows, and it's used to some SSO approach,
they got a AD server on Win2003, all laptops are under winXP Pro and got IE at least version 6
Now The question is this ;
I got
-a guy (properly authentified) who is
- using IE (properly setted)
- on a computer (properly attached to AD)
to access a ressource URL of my app
It's quite simple to send him a http 401 or 407 so IE go back to the AD server and get its token
BUT how can I manage in java to extract the account used by the client
from the SPENEGO token ? this is all I need
I cant find any help on this, So please if someone can help me in this...
I'm lost ... Thanks in adavnce for a simple hint or a url linking me on the good path
[1125 byte] By [
henoc.aa] at [2007-11-26 15:16:20]
# 1
I forget :
Ok for the configuration, thanks to some of your posts (thanks all)
I know all the importants steps to be followed
For exemple I quote danielshrem last post on the thread http://forum.java.sun.com/thread.jspa?forumID=545&threadID=760214
<quote>
Hey Seema,
Indeed my server's principal was not the correct one, now everything is cool with rc4 encryption.
for all u dudes out there in need of Java HTTP kerberos auth here's a few simple configuration procedures:
1. on the Domain Controller add an HTTP SPN to the account running the web service (use setspn.exe). the SPN has to be in format HTTP/host@Realm or HTTP/host (this SPN worked for me). if u dont know exactly which SPN u need u can sniff an HTTP session on ethereal look for Kerberos AP Req-->ticket-->Server Name. from what i gather this is the principal the clients use.
2. on the DC add a mapping to the newly created SPN (use ktpass.exe)
3. on the host running the service create a keytab file containing the newly created HTTP principal (use java's ktab.exe)
4. make sure the SPN is set up OK by running kinit and pass the newly created keytab file and the newly created SPN.
once u recieve an ok result you are good to go (login and authenticate users)
hope this helps
Daniel.
</quote>
My problem (I know it must sounds stupid) : how do I extract the login account from this ?
# 2
> My problem (I know it must sounds stupid) : how do I> extract the login account from this ?If the authentication is through HTTP, you can try to look for the REMOTE_USER environment variable.
# 3
thanks but it does'nt help !!I've tried redefining my post, may be it will be more clear Thanks for helping ..
# 4
So you mean you want to write some Java code to decrypt a SPNEGO token from an XP client?
If so, you need to do some JGSS programming that first accept the token (maybe base64 decode it first) into GSSContext.acceptSecContext() and pass back etc etc
Read RFC 4559 on the details of the authentication scheme.
# 5
Yes wangwj that's exactly what i'm trying to do
at least if i can find informations on how to do it;
I mean it's ok for the rfc i surely don't know everything about kerberos but i CAN find the info
What is really a trouble is the java side ..
it's a mess, so much acronyms every where around, no paper or doc to try to describe us a clear high-level organisation of all this mess,
(Grab a high level description then go in details only after you know whais involved)
I don't have any clue on wich java API should be used for doing the steps involved here ?
-1- handling the SPNEGO from IE, extracting a token from the SPNEGO (they say the do SPENEGO but it's not really clera about what the do exactly)
-2- handling this token via kerberos to do the authentication
-3- and knowing which user this kereberos token is linked to...
If I can get to that all this is NOTHING !!! the goal of all this is to give the user the customized info he deserves ..
If after all that I still have to ask him to ENTER his name I don't see where the Single Sign is ?
# 6
I don't think there's a mess in JGSS. There's a new tutorial on the SPNEGO mechanism at
http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/part5.html#SPNEGO
In fact, the new sample is almost identical to the old JGSS sample codes, except for a different OID. You just decode/encode the token to/from the HTTP header and goes on until the negotiation is OK. I believe there should be only one request and one response in a SPNEGO conversation.
Personally I think the guide part of the JDK doc is quite useful.
Message was edited by:
wangwj
# 7
As I just said on my other post (http://forum.java.sun.com/thread.jspa?messageID=9453368)
all i got to do is going back again through the security API's guide cause it seems clear to me that I've miss some part;
May be it's due to the lack of holidays... ;- (
Human being should take time to rest a little
Anyway you were right : I must read this again until i fully understand what it is all about ...
Thank you for helping me
Hope I willbe of some help for you another day
