Home Tom Kemp's Centrify Blog

TOM KEMP'S CENTRIFY BLOG

Web SSO for Intranet Applications Using SPNEGO and DirectControl for Java/Web

Thursday, May 22, 2008

In my last couple of blog posts I discussed some of the challenges customers are trying to address with Web single sign-on (SSO) solutions, the architecture and key features of our DirectControl solution for web and Java/J2EE applications, and how DirectControl addresses these challenges. In this blog post I will discuss the specific use case of web SSO for intranet applications (applications where all of the users are "internal" users such as employees, contractors and consultants.)

[As a reminder Centrify is hosting an upcoming webinar that goes into much more detail on integrating non-Microsoft web servers with Active Directory.]

For applications that support intranet users that exist primarily in Active Directory, the DirectControl for Java/Web solution can be used to integrate directly with Active Directory. The technical approach that DirectControl uses for silent web sign-on is a protocol called SPNEGO. SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is available through Internet Explorer, Firefox and Safari browsers. Centrify DirectControl for Java/Web implements the server side of the SPNEGO protocol for the non-Microsoft applications servers such as Apache, WebLogic, WebSphere, Tomcat and JBoss. [Note: DirectControl supports Weblogic, Websphere, Tomcat and JBoss running on Windows as well as Linux and UNIX.]

By leveraging the built-in negotiation that SPNEGO provides, you can provide your intranet users a true, silent, single sign-on through Kerberos (or NTLM) built in to their Windows XP/Vista desktop.

The high-level single sign-on experience based on SPNEGO and Kerberos is as follows (also see diagram below):

  1. A user gets a valid Kerberos ticket by logging into their Windows XP or Window Vista machine (or an OS X or Linux workstation joined to Active Directory using DirectControl).
  2. The user then opens a browser and accesses a web site secured by DirectControl for Java/Web. On the app server, the DirectControl for Java/Web agent negotiates through SPNEGO that Kerberos is to be used for authentication (or it can support NTLM, BASIC or FORMS based authentication against Active Directory as appropriate).
  3. Assuming the negotiation determines that Kerberos can be used, the browser requests a Kerberos service ticket for the application.
  4. The service ticket is provided to the DirectControl for Java/Web agent.
  5. The agent in turn validates the request via Kerberos to the Active Directory KDC.
  6. Once the service ticket is validated, the user is authenticated and granted access to the application.

This entire experience is transparent to the end user, as they are silently authenticated and signed on to the application.


The simple steps to set up the various components of this solution are as follows:

  1. Join the application server to Active Directory with DirectControl for Systems.
  2. Configure the application server with the DirectControl for Java/Web solution.
  3. Configure the web application for a new type of authentication.
  4. Configure the web browser for SPNEGO support.

Once this simple configuration is complete, the end user experiences true silent, single sign-on for the end user to Java/Web applications on non-Microsoft applications servers.

Finally, I believe it is important to understand some of the enterprise level features of the DirectControl for Java/Web solution that is not generally available in alternative approaches:

  • Full Support for Active Directory Policies. DirectControl for Java/Web talks directly to Active Directory; therefore, all native Active Directory features are supported. This includes support for a centrally managed password policy and the flexible user-naming conventions of Active Directory.
  • Cross-Domain Authentication. Users who are authenticated members of a remote domain can access an application server joined to another domain if the appropriate cross-domain trust relationship has been established. This occurs without the user being prompted for credentials. This is the same behavior that users would expect in an all-Windows environment.
  • Gold Standard Kerberos: Leveraging the MIT reference implementation of Kerberos, DirectControl delivers the most compatible and mature approach to Kerberos-based Active Directory authentication for enterprise applications such as custom web applications. While many platforms offer some type of Kerberos support, setting up and administering the Kerberos service to talk with Active Directory securely and reliably can be a complex task on non-Microsoft platforms. With the DirectControl Agent installed, the host platform becomes Active Directory-aware and can take advantage of Active Directory services - such as automatic updates of Keytab files and Keytab versioning, automatic time synchronization with Active Directory, local caching for disconnected mode, and dynamic DNS support - that greatly simplifies initial configuration and provides a much higher degree of maintainability and reliability.

In my final posting in this series on DirectControl and Web SSO I will discuss the deployment scenario for extranet applications that have internal, external and even federated users.

[Special thanks to Corey Williams for assistance on this blog post and providing some of the content.]

Categories: Centrify, DirectControl for Systems, DirectControl for Web Apps, Group Policy, Regulatory Compliance, All
Bookmarks: del.icio.usDiggFurlNetscapeYahoo! My WebStumbleUponGoogle BookmarksTechnoratiBlinkListNewsvinema.gnoliaRedditWindows LiveTailrank

< Previous Article: A Closer Look at Centrify DirectControl's Web SSO Solution
> Next Article: Web SSO for Extranet Applications using ADFS and DirectControl for Java/Web