Home Tom Kemp's Centrify Blog

TOM KEMP'S CENTRIFY BLOG

A Closer Look at Centrify DirectControl's Web SSO Solution

Tuesday, May 20, 2008

In my last blog post I discussed some of the challenges customers are trying to address with Web single sign-on (SSO) solutions that leverage Microsoft Active Directory. In this blog post I want to discuss the architecture and key features of our DirectControl agent for web and Java/J2EE applications and how it addresses these challenges. In future blog posts I will describe some use cases of our web/Java agent.

[As a reminder Centrify is hosting an upcoming webinar that goes into much more detail on integrating non-Microsoft web servers with Active Directory.]

Core Features

At a high-level, the DirectControl for web/Java agent provides the following five key features:

  • SPNEGO Support for Application Servers: the DirectControl for web/Java agent natively extends the security layer of each application server to implement the SPNEGO protocol for Kerberos and NTLM authentication and single sign-on. Per Wikipedia: "SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports...SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory."

    In effect DirectControl is extending the "secret handshake" that Microsoft provides between IE and IIS. Which means that now with DirectControl you can use IE or any other browser that supports SPNEGO and have that SSO experience to not only IIS but to non-Microsoft web servers such as Apache, JBoss, WebLogic and WebSphere (running on either the Windows or UNIX/Linux platforms).
  • Kerberos Support for web/Java Applications: Kerberos is the mature approach that Microsoft uses for single sign-on in an all-Microsoft environment. While Kerberos is available for non-Microsoft platforms, like UNIX and Linux, it can be difficult for a non-expert to deploy and manage a Kerberos stack for use in single sign-on. DirectControl for web/Java, in cooperation with DirectControl for Systems, automatically deploys, configures and manages the entire Kerberos stack for the application server and OS that your custom application is installed on.

    Optionally, NTLM can also be used for authentication in an environment or system where Kerberos is not functional or appropriate. NTLM is an older technology provided by Microsoft for authentication.
  • Authorization based on Active Directory Groups: Using J2EE standards, DirectControl for web/Java can populate the proper J2EE roles based on Active Directory Groups. Additionally, custom user attribute can be passed to the application from Active Directory. This allows a custom web application to provide role-based access and personalization based on a centrally managed identity in Active Directory, regardless of the platform the application server runs on.
  • Active Directory Federation Services (ADFS) Support: ADFS, based on industry standards such as the WS-* web services specifications, provides a platform for single sign-on across multiple applications during a single browsing session. Additionally, ADFS provides services that allow authentication and authorization to happen across security, organizational and domain boundaries. These services are included in Windows Server 2003 R2 and 2008. Follow this link for more information on our ADFS web SSO agents for non-Microsoft web servers.
  • Support for SSO to the underlying operating systems: Centrify DirectControl delivers secure access control and centralized identity management by seamlessly integrating your UNIX, Linux, Mac, web and database platforms with Microsoft Active Directory. DirectControl effectively turns a non-Microsoft system into an Active Directory client, enabling you to secure that system using the same operating system-level authentication, authorization and Group Policy services currently deployed for your Windows systems.

    This means by packaging the DirectControl agent for the operating system and application server, along with installation and configuration documentation and support and services of the DirectControl for web/Java products into a single comprehensive solution, Centrify can help provide a true single sign-on solution at both the OS and application layer that better interoperates with your enterprise.

Comparing DirectControl for Web/Java with Built-In Active Directory Integration Capabilities

Now that I have given an overview of our DirectControl solution for Web/Java, occasionally we are asked how this compares to what you get "in-the-box" with web application servers. As you may know many applications servers offer some level of integration with Active Directory either through open source or proprietary features. However, real-world Active Directory implementations are often far more complex than these features can manage. For example, real-world Active Directory deployments include many of the following characteristics that are not adequately supported (if at all) by built in capabilities:

  • Multi-domain/multi-forest with one/two-way trusts
  • Kerberos and NTLM support for authentication
  • Automatic domain controller discovery and failover
  • A global catalogue service for cross forest discovery

The lack of adequate support for these features makes the integration to a real-world Active Directory infrastructure prone to breakage and scalability problems.

Many of the application servers support integration with an LDAP server. While Active Directory can be exposed as an LDAP source, this approach is fraught with potential problems. Most LDAP integration capability is not able to work with Kerberos for single and silent sign-on. If Kerberos integration is provided, the Kerberos stack is very difficult to setup and maintain on UNIX and Linux.

Finally, the integration of external users and partners should be considered. Current federation servers are complex and require additional infrastructure. Additionally, support for federation is often different for each app server. Administrators need a simple and cost effective solution for managing external users and federation.

The following table summarizes some of the advantages we see that DirectControl for Web and Java provides over built-in or open source alternatives to integration with Active Directory and SSO for external applications.

The table below above does not factor in SSO support for the underlying operating system (of which DirectControl supports over 135 flavors of UNIX, Linux and Mac) nor does it reflect the consistent Active Directory integration DirectControl can offer against a wide range of app servers (Apache, JBoss, WebLogic, WebSphere, etc. - view complete list here) as well as other applications such as SAP and databases such as DB2. In effect Centrify DirectControl provides homogeneous AD integration of heterogeneous systems and applications that is fully supported, tested and documented, with optional services.

In my next few blog postings I will discuss some of the deployment scenarios customers are using our Web SSO capabilities for.

Categories: Centrify, DirectControl for Systems, Group Policy, Regulatory Compliance, All
Bookmarks: del.icio.usDiggFurlNetscapeYahoo! My WebStumbleUponGoogle BookmarksTechnoratiBlinkListNewsvinema.gnoliaRedditWindows LiveTailrank

< Previous Article: Thoughts on Some of the Key Security Challenges Involving Web Single Sign-on (SSO)
> Next Article: Web SSO for Intranet Applications Using SPNEGO and DirectControl for Java/Web