IBM Security Verify

Expand all | Collapse all

Kerberos SSO

  • 1.  Kerberos SSO

    Posted 3 days ago
    Hello all,

    does anybody know an option to use Kerberos with AAC not WebSEAL?

    Cheers,
    Jens

    ------------------------------
    Jens Petersen
    ------------------------------


  • 2.  RE: Kerberos SSO

    Posted 3 days ago

    H Jens,

    I don't think AAC has any Kerberos authentication mechanism.  I'm not sure whether it would be possible to write something in InfoMap - ASN.1 processing would not be fun.

    In the past I've known customers that have implemented Kerberos Desktop SSO in their own IIS or WebSphere app servers and integrated with Verify Access using EAI.  If I remember, they did this because that allowed them to support a large number of AD domains.

    Jon.



    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: Kerberos SSO

    Posted 2 days ago
    Hi Jon,
    thanks for confirming, I thought it's that way. Unfortunatelly that brings some trouble while using Login with AAC and not using WebSEAL or better if using both it makes things quite complex as you have different templates. What would you suggest is the best way to use Kerberos at WS and AAC for e-Mail login instead of UID?

    THX,
    Jens

    ------------------------------
    Jens Petersen
    ------------------------------



  • 4.  RE: Kerberos SSO

    Posted yesterday
    Hi Jens,

    In general I always feel there are issues when trying to mix Kerberos authentication with other authentication types on the same WebSEAL server.  Mostly this is caused by browser behaviour when Kerberos is attempted but subsequently fails (or is cancelled).  I've seen browsers just keep presenting an NTLM header which causes WebSEAL to throw an error.  I've heard stories of people successfully setting this up (using redirects in NTLM error page for example) but have never managed it myself in a satisfactory way.

    The approach I've usually recommended is to use a different Reverse Proxy to support Kerberos that the one that supports other mechanisms.   Depending on network architecture it may be possible to make this invisible to clients by using DNS to direct those with access to Domain controller to the Kerberos-enabled proxy cluster.

    What user experience are you trying to achieve?   Without prompting for Kerberos it's hard to find out if client supports it - and once you prompt you have the issue I mentioned at the start.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 5.  RE: Kerberos SSO

    Posted yesterday
    Hi Jon,

    you're right with the Browser, I'd run into the same issues with another client while ago. At that point we actually implemented what you suggested, different WebSEAL's for internal and external users.

    Unfortunately here the network guy's are a bit, put it not flexible. 

    Chers,
    Jens

    ------------------------------
    Jens Petersen
    ------------------------------



  • 6.  RE: Kerberos SSO

    Posted yesterday
    Hi Jens, 

    We faced the same problem. Our solution was to make a OIDC server doing the actual Kerberos. We integrated the flow within AAC by having the kickoff called by an Infomap. 

    Danny

    ------------------------------
    Danny CH.
    ------------------------------



  • 7.  RE: Kerberos SSO

    Posted yesterday
    Hi Denny,

    thanks for the hint. What do you mean with OIDC Server doing Kerberos? Usually you find the OIDC behind /mga of the WebSEAL. Thats basically what we did right now, enabling Kerberos at the WebSEAL in front of the auth policy we are using for e-mail login. But then the issues Jon focused on are happening. Also, the /mga Jct is open without authentication usually. So I believe the kerberos isn't even triggered

    Cheers,
    Jens

    ------------------------------
    Jens Petersen
    ------------------------------



  • 8.  RE: Kerberos SSO

    Posted yesterday
    Kerberos is tricky because you need the right configuration in WebSEAL. The *reverse* DNS lookup also needs to correspond to the SPN for which the keystore is defined. 
    We dedicated a WebSEAL Reverse Proxy that does *only* Kerberos authentication. We configured it as an OIDC Provider. The other Reverse Proxies needing to perform Kerberos, are OIDC Relying Parties of that Provider, so basically the user is redirected to the Kerberos OIDC Provider to authenticate and returns to the Client. Using this OIDC Flow you can use Kerberos Authentication in a flexible way without having to fiddle with every other WebSEAL instance requiring it, you just connect them through this OIDC Flow. This way Kerberos can easily fit in the AAC module an can be used just like any other Authentication Policy.

    ------------------------------
    Danny CH.
    ------------------------------