Difference between revisions of "Windows Authentication"
old>Admin |
m (30 revisions imported) |
||
(28 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
== Understanding AD integration == | |||
SSO happens between three entities in the same network domain: | |||
* Tomcat server with TempusServa | |||
* Domain controller (Active Directory) | |||
* Client machine with a user | |||
** authenticated against the domain controller | |||
**accessing the TempusServa installation | |||
After the initial contact with the user TempusServa validates the original AD authentication, and logs in the user if a matching username can be found. Optionally TempusServa can synchronize group memberships using regular LDAP querying. | |||
The recommended approach for Tomcat is using a SPNEGO servlet filter mapped to the TempusServa login page. Other integrations methods include | |||
* Waffle (support for other servers) | |||
* Tomcat 7 native SPNEGO | |||
Troubleshooting | == Installing the SPNEGO servlet filter == | ||
Note the following guide is for Tomcat 6 or higher. | |||
=== Installation part 1 === | |||
The first part of the installation ensures the basic SSO communication is in place. | |||
# [http://spnego.sourceforge.net/pre_flight.html Run pre flight checklist] | |||
# [http://spnego.sourceforge.net/spnego_tomcat.html Run installation] | |||
Troubleshooting | |||
* Check Tomcat is running in the same context as the domain user | * Check Tomcat is running in the same context as the domain user | ||
* Ensure only one SPN exists (with fully qualified name) | * Ensure only one SPN exists (with fully qualified name) | ||
After a succesfull test you should remove the jsp test file. | |||
=== Installation part 2 === | |||
The second part of the installation ensures TempusServa logs in the user based on the Windows authenticated username. | |||
Install the SPNEGO filter on the TempusServa application | |||
# Copy filter setting from the guide to '''<Tomcat>\webapps\<Application>\WEB-INF\web.xml''' | |||
# Change the filter mapping from *.jsp to the login page | |||
<filter-mapping> | |||
<filter-name>SpnegoHttpFilter</filter-name> | |||
<url-pattern>/login</url-pattern> | |||
</filter-mapping> | |||
Configure TempusServa to accept SSO by changing system configuration | |||
ssoSpnegoAuthenticate = true | |||
Finally restart Tomcat | |||
=== Testing the setup === | |||
Find a suitable user | |||
* Must exist as a Domain User in the AD server (ex. "TESTDOMAIN\DrStrangelove" ) | |||
* Must exist as a user in Tempus Serva (ex. "DrStrangelove") | |||
Login to a machine connected to the Domain controller | |||
Navigate to the TempusServa login page and check if you are logged in and redirected to the main page. | |||
Other results | |||
* Login displayed with "Login failed" message: The SPNEGO is working but it was not possible to match the Windows authenticated user to a (valid) user in the Tempus Serva database | |||
* Login displayed without any messages: The SPNEGO is NOT working or is deactivated |
Latest revision as of 11:56, 10 December 2021
Understanding AD integration
SSO happens between three entities in the same network domain:
- Tomcat server with TempusServa
- Domain controller (Active Directory)
- Client machine with a user
- authenticated against the domain controller
- accessing the TempusServa installation
After the initial contact with the user TempusServa validates the original AD authentication, and logs in the user if a matching username can be found. Optionally TempusServa can synchronize group memberships using regular LDAP querying.
The recommended approach for Tomcat is using a SPNEGO servlet filter mapped to the TempusServa login page. Other integrations methods include
- Waffle (support for other servers)
- Tomcat 7 native SPNEGO
Installing the SPNEGO servlet filter
Note the following guide is for Tomcat 6 or higher.
Installation part 1
The first part of the installation ensures the basic SSO communication is in place.
Troubleshooting
- Check Tomcat is running in the same context as the domain user
- Ensure only one SPN exists (with fully qualified name)
After a succesfull test you should remove the jsp test file.
Installation part 2
The second part of the installation ensures TempusServa logs in the user based on the Windows authenticated username.
Install the SPNEGO filter on the TempusServa application
- Copy filter setting from the guide to <Tomcat>\webapps\<Application>\WEB-INF\web.xml
- Change the filter mapping from *.jsp to the login page
<filter-mapping> <filter-name>SpnegoHttpFilter</filter-name> <url-pattern>/login</url-pattern> </filter-mapping>
Configure TempusServa to accept SSO by changing system configuration
ssoSpnegoAuthenticate = true
Finally restart Tomcat
Testing the setup
Find a suitable user
- Must exist as a Domain User in the AD server (ex. "TESTDOMAIN\DrStrangelove" )
- Must exist as a user in Tempus Serva (ex. "DrStrangelove")
Login to a machine connected to the Domain controller
Navigate to the TempusServa login page and check if you are logged in and redirected to the main page.
Other results
- Login displayed with "Login failed" message: The SPNEGO is working but it was not possible to match the Windows authenticated user to a (valid) user in the Tempus Serva database
- Login displayed without any messages: The SPNEGO is NOT working or is deactivated