Difference between revisions of "Windows Authentication"

From TempusServa wiki
Jump to navigation Jump to search
old>Admin
m (30 revisions imported)
 
(18 intermediate revisions by one other user not shown)
Line 1: Line 1:


== Understanding AD integration ==
== Understanding AD integration ==
SSO happens between three entities in the same network domain:
* Tomcat server with TempusServa
* Domain controller (Active Directory)
* Client machine with a user
** authenticated against the domain controller
**accessing the TempusServa installation


== Recommended: SPNEGO filter ==
After the initial contact with the user TempusServa validates the original AD authentication, and logs in the user if a matching username can be found. Optionally TempusServa can synchronize group memberships using regular LDAP querying.
 
The recommended approach for Tomcat is using a SPNEGO servlet filter mapped to the TempusServa login page. Other integrations methods include
* Waffle (support for other servers)
* Tomcat 7 native SPNEGO
 
== Installing the SPNEGO servlet filter ==
Note the following guide is for Tomcat 6 or higher.


=== Installation part 1 ===
=== Installation part 1 ===
# Run pre flight checklist
The first part of the installation ensures the basic SSO communication is in place.
# [Run installation|http://spnego.sourceforge.net/spnego_tomcat.html]
 
# [http://spnego.sourceforge.net/pre_flight.html Run pre flight checklist]
# [http://spnego.sourceforge.net/spnego_tomcat.html Run installation]


Troubleshooting
Troubleshooting
* Check Tomcat is running in the same context as the domain user
* Check Tomcat is running in the same context as the domain user
* Ensure only one SPN exists (with fully qualified name)
* Ensure only one SPN exists (with fully qualified name)
After a succesfull test you should remove the jsp test file.


=== Installation part 2 ===
=== Installation part 2 ===
The second part of the installation ensures TempusServa logs in the user based on the Windows authenticated username.


Install the SPNEGO filter on the application
Install the SPNEGO filter on the TempusServa application
# Copy filter setting from the guide to '''<TempusServaApplication>\WEB-INF\web.xml'''  
# Copy filter setting from the guide to '''<Tomcat>\webapps\<Application>\WEB-INF\web.xml'''  
# Change the filter mapping from *.jsp to the login page
# Change the filter mapping from *.jsp to the login page
   <filter-mapping>
   <filter-mapping>
Line 41: Line 59:
* Login displayed with "Login failed" message: The SPNEGO is working but it was not possible to match the Windows authenticated user to a (valid) user in the Tempus Serva database  
* Login displayed with "Login failed" message: The SPNEGO is working but it was not possible to match the Windows authenticated user to a (valid) user in the Tempus Serva database  
* Login displayed without any messages: The SPNEGO is NOT working or is deactivated
* Login displayed without any messages: The SPNEGO is NOT working or is deactivated
== Other methods ==
* Waffle
* Tomcat 7 native SPNEGO

Latest revision as of 11:56, 10 December 2021

Understanding AD integration

SSO happens between three entities in the same network domain:

  • Tomcat server with TempusServa
  • Domain controller (Active Directory)
  • Client machine with a user
    • authenticated against the domain controller
    • accessing the TempusServa installation

After the initial contact with the user TempusServa validates the original AD authentication, and logs in the user if a matching username can be found. Optionally TempusServa can synchronize group memberships using regular LDAP querying.

The recommended approach for Tomcat is using a SPNEGO servlet filter mapped to the TempusServa login page. Other integrations methods include

  • Waffle (support for other servers)
  • Tomcat 7 native SPNEGO

Installing the SPNEGO servlet filter

Note the following guide is for Tomcat 6 or higher.

Installation part 1

The first part of the installation ensures the basic SSO communication is in place.

  1. Run pre flight checklist
  2. Run installation

Troubleshooting

  • Check Tomcat is running in the same context as the domain user
  • Ensure only one SPN exists (with fully qualified name)

After a succesfull test you should remove the jsp test file.

Installation part 2

The second part of the installation ensures TempusServa logs in the user based on the Windows authenticated username.

Install the SPNEGO filter on the TempusServa application

  1. Copy filter setting from the guide to <Tomcat>\webapps\<Application>\WEB-INF\web.xml
  2. Change the filter mapping from *.jsp to the login page
  <filter-mapping>
      <filter-name>SpnegoHttpFilter</filter-name>
      <url-pattern>/login</url-pattern>
  </filter-mapping>

Configure TempusServa to accept SSO by changing system configuration

  ssoSpnegoAuthenticate = true

Finally restart Tomcat

Testing the setup

Find a suitable user

  • Must exist as a Domain User in the AD server (ex. "TESTDOMAIN\DrStrangelove" )
  • Must exist as a user in Tempus Serva (ex. "DrStrangelove")

Login to a machine connected to the Domain controller

Navigate to the TempusServa login page and check if you are logged in and redirected to the main page.

Other results

  • Login displayed with "Login failed" message: The SPNEGO is working but it was not possible to match the Windows authenticated user to a (valid) user in the Tempus Serva database
  • Login displayed without any messages: The SPNEGO is NOT working or is deactivated