Kerberos and SPNEGO Configuration with P8 - IBM

© 2009, 2013 IBM Corporation

Kerberos and SPNEGO Configuration with P8

Luis Duarte – IBM Advisory Software Engineer

Olivier de Touchet – IBM Software Engineer

Patricia Gatewood – IBM Software Engineer

Denise Halweg – Technical Support Manager and Moderator, [email protected]

17 December 2013

This session will be recorded and a replay will be available on IBM.COM sites and possibly social media sites such as YouTube. When speaking, do not state any confidential information, your name, company name or any information that you do not want shared publicly in the replay. By speaking during this presentation, you assume liability for your comments.


Agenda

� Provide a high level overview and basic configuration of Kerberos and SPNEGO SSO (Single Sign-on) solutions for P8 enabled applications in a WebSphere environment.

� Discuss Kerberos configuration for Content Engine via WSI (Web –Services interface)

� Discuss SPNEGO configuration via the SPNEGO Web Authentication module in WebSphere v8.x for WorkplaceXT via HTTP

� Review troubleshooting scenarios, both Kerberos and SPNEGO

� Provide detailed reference materials

2


Kerberos Terminology:

� Kerberos authentication goes far beyond this high –level explanation. However, some key terms that will be referenced.

� Key terms:– Client: An application that wishes to authenticate itself to a Service like Content Engine.

In regards to using Kerberos with Content Engine, a client might be applications using the Content Engine .NET API, examples: FEM (FileNet Enterprise Manager), FIMO, etc.

– Service: A server-based application running on a particular system (or one among many in a cluster) that can use Kerberos authentication to verify the identity of its clients. The Content Engine is such a service.

– Key Distribution Center (KDC): A central server known to both a Kerberos client and service that supplies Kerberos authentication services. The KDC knows passwords for both the client and the service and acts as an intermediary between the two.

– Kerberos Identity Account: An Active Directory user account. It will serve as the identity to the particular service.

– Service Principal Name (SPN): A name that identifies a particular Kerberos service that is registered by the KDC. It is in the form of SERVICE/name@REALM The client will use a SPN to identify which Kerberos service it would like to authenticate itself to.

– UPN (User Principal Name): similar to email format. typically in the form of "userid@REALM",

– Realm: For the Content Engine, this is equivalent to a Windows Active Directory domain. – Keytab: A key table. This is a secure table of user names (SPN’s) and passwords that

may be used by services to identity themselves to the KDC


Kerberos basics

� Kerberos is an Authentication protocol and is the default Windows Authentication protocol.

� Kerberos is comprised of three components:– Key Distribution Center (KDC), the client user and the server with the desired service to

access

� Why Kerberos:• User passwords never travel across the network.• Kerberos facilitates user authentication over a trusted host (Realm) on a untrusted

network• Single Sign-On makes use of TGT (Ticket Granting Ticket) which will be issued.

Once a Service/Resource is access it will make use of the Ticket provided by the KDC. User is asked to provide PW only once during session.

� The KDC is installed as part of the domain controller and performs two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS).

� Content Engine Kerberos prerequisites:– Only Windows clients can use Kerberos authentication– Windows Active Directory is required as your directory service.– Kerberos support is available to clients of the Content Engine Web Services API


Kerberos Flow


SPNEGO Overview

� User authenticates once to desktop PC via AD domain login and then can securely access other systems transparently (SSO).

� Microsoft has extended Kerberos with a protocol known as Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) for sharing Windows credentials with Web servers

� The SPNEGO token wraps within a Kerberos Token.

� WebSphere Application Server V7.0 includes SPNEGO function via a new SPNEGO Web Authentication Module introduced in V7.0 (The SPNEGO TAI has been deprecated.)

� SPNEGO is initialized when processing a first inbound HTTP request.

� Kerberos credentials are carried via SPNEGO (Negotiate) HTTP header to WebSphere, where they are validated and then inserted into an LTPA token


SPNEGO Flow

7


Kerberos Configuration

� Domain/REALM: EDMDOM.COM

� AD Kerberos Identity: krbce (This is different than the machine name and what is documented)

� System configuration:– Active Directory Server

• Windows 2008 R2• MS SQL 2008• Hostname: W2K8AD• IP address: 192.168.142.157

– Content Engine 5.1.0-IF002• Windows 2008 R2• WebSphere 8.0.0.3• Hostname: W2K8CE• IP address: 192.168.142.158

– Client station• Windows 2007 Enterprise Edition x64• Content Engine 5.1 client• Hostname: WIN7FEM

8


Kerberos – Active Directory Kerberos Identity Creation

� The name of this account should be FNCEWS_ + host_name and will generally be similar to the short SPN name chosen above with an underscore ( _ ) in place of the slash ( / ). There are two exceptions, however:

– For clusters, where host_name would be a cluster name instead. – If the derived FNCEWS + host_name name would be longer than 20 characters, as it

would with host_names longer than 13 characters, a different shorter name must be used.

9


Kerberos – Map the Service Principal Name (SPN) to the Kerberos Identity

� The following command will be issued on the AD Server

� SPN Format– FNCEWS/hostname

– The host name should be an undistinguished (in other words, no dots) DNS name and all lower case

– FNCEWS/hostFQDN or FNCEWS/[email protected]– If you need to use the FQDN then it is in all lower case unless you use the @

symbol, then the domain name should be in all UPPERCASE– The SPNs that might be set up for SPNEGO (for example HTTP/myce01) are not

compatible with the SPNs used by Content Engine's Kerberos.

� In our case:– FNCEWS/w2k8ce– FNCEWS/w2k8ce.edmdom.com or FNCEWS/[email protected]

10


Kerberos – Map the Service Principal Name (SPN) to the Kerberos Identity (cont.)

� Windows Server 2008 syntax for adding an SPN is “A”– setspn –A FNCEWS/<CE_Host_name> <Kerberos_Identity>

– setspn –A FNCEWS/<CE_Host_name_FQDN> <Kerberos_Identity>

– setspn –A FNCEWS/w2k8ce FNCEWS_krbce– setspn –A FNCEWS/w2k8ce.edmdom.com FNCEWS_krbce

11


Kerberos – Validate SPN mapping

� Check SPNs mapped to an Kerberos Identity:– setspn -L <AD kerberos identity user account>– setspn -L FNCEWS_krbce

� Check ldifde -f c:\krb5ce.txt -d “DC=edmdom,DC=COM” –r sAMAccountName=FNCEWS*

� Look for these key attributes: sAMAccountName: FNCEWS_krbce

sAMAccountType: 805306368userPrincipalName: FNCEWS/[email protected]

servicePrincipalName: FNCEWS/w2k8ce.edmdom.comservicePrincipalName: FNCEWS/w2k8ce

12


Kerberos – Update krb5.ini to match your environment configuration

� Actions performed on Content Engine Server

� Default location (C:\Program Files (x86)\IBM\filenet\contentengine\Kerberos)

� Key items for our krb5.ini:

[libdefaults]default_realm = EDMDOM.COMkdc_timesync = 1ccache_type = 4forwardable = trueproxiable = falsedefault_tgs_enctypes = rc4-hmacdefault_tkt_enctypes = rc4-hmac

[realms]EDMDOM.COM = {

kdc = w2k8ad:88admin_server = w2k8addefault_domain =edmdom.com

}[domain_realm]

.edmdom.com = EDMDOM.COMedmdom.com = EDMDOM.COM

13


Kerberos – Moving krb5.ini file

� The WebSphere runtime code searches for the Kerberos configuration file in the order as follows:

– The file referenced by the Java property java.security.krb5.conf<java.home>/lib/security/krb5.conf

– c:\winnt\krb5.ini on Microsoft® Windows platforms– /etc/krb5/krb5.conf on UNIX® platforms– /etc/krb5.conf on Linux™ platforms.

� Copy updated krb5.ini file to one of the locations above

14


Kerberos – Creating the Keytab entry for the SPN on the Content Engine System� You can specify the location through the command line

� To specify a different directory and keytab file name:– C:\IBM\WebSphere\AppServer\java\jre\bin>java

com.ibm.security.krb5.internal.tools.Ktab -a FNCEWS_krbce.edmdom.com -k "c:\temp_krb\cekrb.keytab"

– C:\IBM\WebSphere\AppServer\java\jre\bin>java com.ibm.security.krb5.internal.tools.Ktab -a FNCEWS_krbce -k "c:\temp_krb\cekrb.keytab"

15


Kerberos – Validating the Keytab encryption and Kerberos Identity

� Command line: java com.ibm.security.krb5.internal.tools.Klist –e –k c:\temp_krb\cekrb.keytab

� Validate principals listed is the Kerberos Identity, which in our case is FNCEWS_krbce

16


Kerberos – WebSphere configuration

� Global security, define Trusted realms:– If applicable trust all

– Or specify realms

17


Kerberos – Login module configuration in WebSphere

� Create FileNetP8KerberosService configuration in the Application Logins. If Content Engine is configured using Configuration Manager, then a FileNetP8KerberosService is already created, and there is no need to add this again. Otherwise, click New and follow instructions to add FileNetP8KerberosService login configuration.

18


Kerberos – Adding the Service Account Name

� Add the service account name property. This is required since our Kerberos identity does not match the machine name (krbce versus w2k8ce):

19


Kerberos – Validating Configuration

20


SPNEGO Configuration

� Domain/REALM: EDMDOM.COM

� AD SPNEGO Identity: spnegoweb

� System configuration:– Active Directory Server

• Windows 2008 R2• MS SQL 2008• Hostname: W2K8AD• IP address: 192.168.142.157

– Workplace XT 1.1.5• Windows 2008 R2• WebSphere 8.0.0.3• Hostname: W2K8XT • FQDN: W2K8XT.EDMDOM.COM• IP address: 192.168.142.159

– Client station• Windows 2007 Enterprise Edition x64• IE 8, Mozilla 25.0.1

21


SPNEGO – Active Directory SPNEGO identity creation

� Select a unique name so that you can distinguish this from the Kerberos Identity

22


SPNEGO – Map the Service Principal Name (SPN) to the SPNEGO identity� Map both the host name and the FQDN

� Make sure the identity (spnegoweb) is unique in Active Directory users and computers.

� Adding using the –a command and Listing using the –l command

– C:\Users\Administrator>setspn -a HTTP/w2k8xt spnegowebRegistering ServicePrincipalNames for CN=spnegoweb,CN=Users,DC=edmdom,DC=comHTTP/w2k8xtUpdated object

C:\Users\Administrator>setspn -a HTTP/w2k8xt.edmdom.com spnegowebRegistering ServicePrincipalNames for CN=spnegoweb,CN=Users,DC=edmdom,DC=comHTTP/w2k8xt.edmdom.comUpdated object

C:\Users\Administrator>setspn -l spnegowebRegistered ServicePrincipalNames for CN=spnegoweb,CN=Users,DC=edmdom,DC=com:HTTP/w2k8xt.edmdom.comHTTP/w2k8xt

23


SPNEGO – LDIFDE to validate

� C:\Users\Administrator>ldifde -f c:\spnegoweb_out.txt -d "DC=edmdom,DC=com" -r"(sAMAccountName=spnegowe*)" -p subtree

� Look for these key attributes:

sAMAccountName: spnegoweb

sAMAccountType: 805306368userPrincipalName: HTTP/[email protected]

servicePrincipalName: HTTP/w2k8xt.edmdom.comservicePrincipalName: HTTP/w2k8xt

24


SPNEGO – Creating the krb5.ini file using wsadmin

� Using the wsadmin command to create the krb5.ini file

25


SPNEGO – krb5.ini file

� Key items for the krb5.ini file

[libdefaults]default_realm = EDMDOM.COM

default_keytab_name = FILE:c:\spnego\spnegoweb.keytabdefault_tkt_enctypes = RC4-HMACdefault_tgs_enctypes = RC4-HMACforwardable = truerenewable = truenoaddresses = trueclockskew = 300

[realms]EDMDOM.COM = {

kdc = w2k8ad:88default_domain = edmdom.com

}[domain_realm]

.edmdom.com = EDMDOM.COM

.us.ibm.com = EDMDOM.COM

26


SPNEGO – Creating the Keytab

� Creating of the keytab command using the –out parameter:– C:\IBM\WebSphere\AppServer\java\jre\bin>ktpass -out c:\spnego\spnegoweb.keytab -princ HTTP/[email protected] -

pass tester -crypto rc4-hmac-nt -ptype KRB5_NT_PRINCIPAL

� Appending to the existing keytab by using the –in parameter:– C:\IBM\WebSphere\AppServer\java\jre\bin>ktpass -in c:\spnego\spnegoweb.keytab -out c:\spnego\spnegoweb.keytab -princ

HTTP/[email protected] -pass tester -crypto rc4-hmac-nt -

ptype KRB5_NT_PRINCIPAL

27


SPNEGO – Validating the Keytab - listing

� C:\IBM\WebSphere\AppServer\java\jre\bin>java.com.ibm.security.krb5.internal.tools.Klist -e -k C:\spnego\spnegoweb.keytab

Key table: C:\spnego\spnegoweb.keytabNumber of entries: 2

[1] principal: HTTP/[email protected]: 1

Encryption type: RC4 with HMAC

[2] principal: HTTP/[email protected]: 1


28


SPNEGO – WebSphere configuration

� Global Security – SPNEGO web authentication

29


SPNEGO – WebSphere configuration (cont.)

� SPNEGO Web Authentication Configuration

30


SPNEGO – WebSphere configuration (cont.)

� SPNEGO Filters configuration

31


SPNEGO – WorkplaceXT Configuration

� Editing web.xml for Single Sign On (SSO) on WebSphere Application Server

http://pic.dhe.ibm.com/infocenter/p8docs/v5r1m0/index.jsp?topic=%2Fcom.ibm.p8.installingxt.doc%2Fwxtip017.htm

1- Ensure that the challengeProxyEnabled parameter is set to false

2- Set the perimeterChallengeMode parameter to true

3- Validate the everyone security role element exists right after the security-constraint section (by default when using CMA)

4- At the end of web.xml, comment out the <login-config> element

5- Add the following entry: <login-config><auth-method>CLIENT-CERT</auth-method></login-config>

32


Browser Configuration

� IE:

33


Browser Configuration

� Mozilla:

34


Validating Configuration with the SNOOP servlet

35


Troubleshooting – Scenario 1 (Kerberos)

� Problem(Abstract):

Encryption type for Kerberos Identity is not supported by KDC.

� Symptom:

In FEM user sees this error: Details:

36


Troubleshooting – Scenario 1 (Kerberos – cont.)

� Identifying the issue:

WebSphere has not been reached yet, so we are using a network monitoring tool

37



� Cause:Kerberos Identity is configured for DES encryption

� Resolving the problem:• Ensure the KDC is configured for the defined encryption• Ensure Keytab supports this encryption method• Consider using RC4-HMAC or other supported encryption types

38


Troubleshooting – Scenario 2 (Kerberos)


Kerberos Identity account does not match the CE server name

� Symptom:

In FEM user sees this error: Details:

39




Review WebSphere SystemOut.log (here FileNet Kerberos debug is enabled):

[11/19/13 19:15:18:455 PST] 00000029 SystemOut O [JGSS_DBG_CRED] No Kerberos creds in keytab for principal [email protected]

[11/19/13 19:15:18:455 PST] 00000029 SystemOut O [JGSS_DBG_CRED] No creds, login failed

[11/19/13 19:15:18:455 PST] 00000029 SystemOut O [DynLoginContext] JAAS login phase failed: Login failed: all login modules ignored.

[11/19/13 19:15:18:455 PST] 00000029 SystemOut O [J2EEAuthnUtil] TGT login failure

[11/19/13 19:15:18:471 PST] 00000029 SystemOut O [KrbServiceLoginModule] login failure: Failed initial service principal name login: Login failed: all login modules ignored.

� Cause:Kerberos Identity sAmAccountName does not include the CE hostname.

40



� Resolving the problem:• Add the ServiceAccountName property with the defined Kerberos Identity sAmAccountName to the

FileNetP8KerberosService Login Module.

41


Troubleshooting – Scenario 3 (SPNEGO)


Client is attempting to validate SPNEGO through snoop servlet

� Symptom:

In browser user sees error

42


Troubleshooting – Scenario 3 (SPNEGO – cont.)


- Validate browser configuration:

- Validate Keytab configuration:C:\IBM\WebSphere\AppServer\java\jre\bin>java com.ibm.security.krb5.internal.tools.Klist -e -k c:\spnego\spnegoweb.keytabKey table: c:\spnego\spnegoweb.keytabNumber of entries: 1[1] principal: HTTP/[email protected]

KVNO: 1


43



� Identifying the issue (cont.):

- Review WebSphere SystemOut.log

[12/9/13 9:43:46:967 PST] 00000029 WebCollaborat A SECJ0056E: Authentication failed for reason null; nested exception is: com.ibm.websphere.security.EntryNotFoundException

- Further up in the WebSphere SystemOut.log

[12/9/13 9:43:46:905 PST] 00000029 FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on C:\IBM\WebSphere\AppServer\profiles\AppSrv01\logs\ffdc\server1_22c59d7_13.12.09_09.43.46.8742854080120296757428.txt com.ibm.websphere.security.EntryNotFoundException 190

- FFDC file review shows the issue:

[12/9/13 9:43:46:874 PST] FFDC Exception:com.ibm.websphere.wim.exception.EntityNotFoundExceptionSourceId:com.ibm.websphere.security.EntryNotFoundException ProbeId:190 Reporter:com.ibm.websphere.security.EntryNotFoundException@22b606c com.ibm.websphere.wim.exception.EntityNotFoundException: CWWIM4001E The '[email protected]' entity was not found. at com.ibm.ws.wim.registry.util.UniqueIdBridge.getUniqueUserId(UniqueIdBridge.java:229) atcom.ibm.ws.wim.registry.WIMUserRegistry$6.run(WIMUserRegistry.java:568)

44



� Identifying the issue (cont.):

- Review wimconfig.xml for AD attribute mapping

(c:\IBM\WebSphere\AppServer\profiles\Dmgr01\config\cells\W2K8XTCell01\wim\config)

<config:attributeConfiguration><config:attributes defaultValue="544" name="userAccountControl"><config:entityTypes>PersonAccount</config:entityTypes>

</config:attributes><config:attributes name="samAccountName" propertyName="uid"><config:entityTypes>PersonAccount</config:entityTypes>

</config:attributes>

- Review repository Login Properties

�

45


Troubleshooting – Scenario 3 (SPNEGO – cont.)• Cause:

The SPNEGO filter is not configured to trim the Kerberos realm name

� Resolving the problem:• Ensure the SPNEGO filters are configured to Trim the Kerberos realm from principal name.

46


Troubleshooting – Scenario 4 (SPNEGO)


Client is attempting to access WPXT server URL for which SPN is not defined in the Keytab

� Symptom:

In browser user is requested to login: If click cancel:

47




- Validate browser configuration:

- Validate Keytab configuration:C:\IBM\WebSphere\AppServer\java\jre\bin>java com.ibm.security.krb5.internal.tools.Klist -e -k c:\spnego\spnegoweb.keytabKey table: c:\spnego\spnegoweb.keytabNumber of entries: 1[1] principal: HTTP/[email protected]

KVNO: 1Encryption type: RC4 with HMAC

� Cause:

Keytab does not include the SPN defined for the server host FQDN.

48



� Resolving the problem:• Add the SPN for the host FQDN to the existing keytab:

C:\IBM\WebSphere\AppServer\java\jre\bin>ktpass -in c:\spnego\spnegoweb.keytab -out c:\spnego\spnegoweb.keytab -princHTTP/[email protected] -pass tester -crypto rc4-hmac-nt -ptype KRB5_NT_PRINCIPAL

Existing keytab:

Keytab version: 0x502

keysize 57 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x17 (RC4-HMAC) keylength 16 (0x98bb35737013aaff03181d0fe9fda09e)

NOTE: creating a keytab but not mapping principal to any user.For the account to work within a Windows domain, the principal must be mapped to an account, either at the domain level (with /mapuser) or locally (using ksetup) If you intend to map HTTP/[email protected] to an account through other means or don't need to map the user, this message can safely be ignored.

WARNING: pType and account type do not match. This might cause problems.

Building salt with principalname HTTP/w2k8xt.edmdom.com and domain EDMDOM.COM (encryption type 23)...

Hashing password with salt "EDMDOM.COMHTTPw2k8xt.edmdom.com".

Key created.

Output keytab to c:\spnego\spnegoweb.keytab:

Keytab version: 0x502



49


Additional References

� Configuring single sign-on for Workplace XT by using Kerberos/SPNEGO

http://www-01.ibm.com/support/docview.wss?rs=3273&uid=swg27019844

� Editing web.xml for Single Sign On (SSO) on WebSphere Application Server

http://pic.dhe.ibm.com/infocenter/p8docs/v5r1m0/index.jsp?topic=%2Fcom.ibm.p8.installingxt.doc%2Fwxtip017.htm

� Single Sign-On Solutions for IBM FileNet P8 Redbook

http://www.redbooks.ibm.com/redpieces/abstracts/SG247675.html?Open

� MustGather: Problems with SPNEGO

http://www-01.ibm.com/support/docview.wss?rs=180&context=SSCVS2E&q1=MustGatherDocument&uid=swg21255030&loc=en_US&cs=utf-8&lang=en

� Administering SPNEGO within WebSphere Application Server:

http://www.ibm.com/developerworks/websphere/library/techarticles/0809_lansche/0809_lansche.html

� SPNEGO troubleshooting tips:

http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Frsec_SPNEGO_troubles.html


Additional References

� Learn about upcoming Support Technical Exchange webcasts, and access previously recorded presentations at:https://www-304.ibm.com/connections/communities/service/html/communityview?communityUuid=d58614c7-a87a-4bea-a0d3-572710d530db

� IBM Electronic Support Introductionhttp://www.ibm.com/support/electronicsupport/about.html

� Sign up to receive weekly technical My Notifications emails:http://www.ibm.com/software/support/einfo.html

� developerWorks Forums, Communities and Technical Topicshttp://www.ibm.com/developerworks/

� Quick Reference Guide for Using Service Request Toolhttp://www.ibm.com/support/docview.wss?uid=swg21207945

� IBM Support Assistanthttp://www.ibm.com/software/support/isa/

� Access product show-me demos and tutorials by visiting IBM Education Assistant:http://www.ibm.com/software/info/education/assistant

51


Questions and Answers

52

This Support Technical Exchange session will be recorded and a replay will be available on IBM.COM sites and possibly social media sites such as YouTube. When speaking, do not state any confidential information, your name, company name or any information you do not want shared publicly in the replay. By speaking in during this presentation, you assume liability for your comments.


THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM’S CURRENT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION, NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO NOR SHALL HAVE THE EFFECT OF CREATING ANY WARRANTIES OR REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS AND CONDITIONS OF ANY AGREEMENT OR LICENSE GOVERNING THE USE OF IBM PRODUCT OR SOFTWARE.

Copyright and Trademark Information IBM, The IBM Logo and IBM.COM are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks and others are available on the web under “Copyright and Trademark Information” located at www.ibm.com/legal/copytrade.shtml.

53

Kerberos and SPNEGO Configuration with P8 - IBM

Documents