Spnego configuration

July 2015

Integrated Web Authentication & DominoGabriella Davis

The Turtle Partnership

Outline

✤ Function and use of IWA

✤ System Requirements

✤ How To Configure SPNEGO

✤ Things To Consider

What Is IWA

✤ Integrated Web Authentication (IWA) is an umbrella term that represents several protocols and technologies used by Microsoft for automatic authentication

✤ SPNEGO is an IWA service that determines which protocol the client and server need to use to talk

✤ Microsoft uses SPNEGO for its HTTP authentication negotiation

✤ Protocols that can be used by SPNEGO for IWA include Kerberos and NTLM

Simple & Protected GSSAPI Negotiation Mechanism

System Requirements

✤ Domino 8.5.1 or later as the initial authentication server

✤ Windows Active Directory with Windows 2003 or later compatibility mode

✤ Browsers

✤ IE

✤ Firefox (Windows)

✤ Chrome 8 and higher (Windows)

The Lab Environment

Active DirectoryWindows 2008 R2 DC

cn=dc,dc=turtletest,dc=com

Domino ServerWindows 2008 R2

9.0.1dominoweb.turtletest.com

Swan/Turtlecn=dominoweb,dc=computers,dc=turtletest,dc=com

Windows 7Client Machine

cn=lihue,dc=computers,dc=turtletest,dc=comcn=gabriella,dc=lihue

How Does It Work With Domino

✤ There must be a relationship between Domino and AD for the authentication “conversation” to happen

✤ Domino must run as a service under Windows

✤ Use a named AD account to run the service

✤ Create a Service Principal Name in Active Directory for each URL hostname that will be passed to Domino

Configuring for SPNEGO

Domino Configuration

✤ Internet Site Documents

✤ Web Single Sign On Document

✤ HTTP Site Document

✤ Domino start as service with named user

✤ Configuring Domino to start with a java controller

Internet Site Documents

✤ Ensure the Domino server document is set to use Internet Site Documents

✤ this isn’t a requirement but will make the SPNEGO configuration easier to manage

Web Single Sign On Document

HTTP Site Document

Domino Start As Service

✤ Domino must be started using an AD account not a local system account. A local system account does not support use by multiple web servers or the user of an ip sprayer

Configure Domino To Start With Java Controller

✤ Once you configure Domino to start as a named account you need to use the java controller to monitor Domino on the server itself

✤ Use Windows regedit to modify the registry

✤ find the entries representing the Domino server (search for notes.ini) and add -jc -c

Consider adding to the server notes.ini file

ServerController=1

TCPIP_ControllerTcpIpAddress=<ipaddress>:2050

Active Directory

✤ We must create a Service Principal Name (SPN) in Active Directory to represent any hostname the Domino web server will use and the account running the Domino server

✤ This can be done two ways

✤ using the domspnego utility

✤ manually

✤ You will need to find and use setpspn.exe on the Domain Controller

Using domspnego

✤ From the Domino program directory in a command window type domspnego

✤ domspnego -? shows a help for the command

✤ domspnego <name of output file to generate)

✤ domspengo dominowebservice

Domspnego Output

✤ You will need to know

✤ The account name Domino is running under

✤ Any hostnames used for web access

✤ Any ip sprayer hostnames

✤ Answering the prompted questions will generate a .cmd file you can edit in notepad to see the commands you will want to run

Domspnego CMD File

Creating the SPN

✤ On the domain controller find the “setspn.exe” utility

✤ The syntax is

✤ setspn -a HTTP / <hostname> <adserviceaccount>

✤ The commands for running the SPN will be in your output file generated by domspnego e.g.

setspn -a HTTP/dominoweb.turtletest.com dominowebservice

SPN Rules

✤ There can only be one SPN for a hostname

✤ If you need to change the service account bound to the SPN you must delete the original one first and create a new one

✤ To delete an SPN type “d” instead of “a” on the setspn command

setspn -d HTTP/dominoweb.turtletest.com dominowebservice

SPN Commands

✤ Create a SPN

✤ Confirm a SPN

✤ Remove a SPN

Name Mappings✤ To grant Domino access to a database there must be an ACL entry for the user

✤ The windows Kerberos name must be an entry in the fullname field of the user’s person document so Domino can match the Windows logged in name to the ACL

✤ There should be 2 entries before it, the user’s hierarchical name (used in the ACL) and the user’s common name

✤ The Windows user “Gabriella” logging into the windows domain “turtletest.com” ([email protected]) will be translated by Domino into Gabriella Davis/Turtle for ACL access

✤ Use the exact case AD uses for the name part and always capitals for the domain part

Directory Assistance

✤ SPNEGO users do not use passwords in any way

✤ The domino http password field on the person documents can therefore be empty

✤ Should you want non-SPNEGO users to login they can either use the Domino HTTP Password OR you can configure Active Directory under Directory Assistance

✤ That then authenticates users accessing Domino using their AD names and passwords

Managing Users - OPTIONAL

✤ If you do want to manage users in Active Directory instead of in Domino you can do so but the environment needs to be configured for that

✤ they must still be present in Domino person documents

✤ The Active Directory entry must have an attribute containing the user’s hierarchical Domino name

✤ Directory Assistance must be configured for authentication to Active Directory

✤ Keeping the user names synchronised across both environments requires a tool such as Tivoli Directory Integrator

Browser Configuration

✤ SPNEGO supports Windows browsers IE, Firefox and Chrome >8

✤ Configuration for each must be done on the client side and is different for each browser

✤ This may change in the future if the browser versions change

Internet Explorer Configuration

✤ Start IE and click Tools > Internet Options

✤ Select the Security tab

✤ Select "Local intranet" and click Sites.

✤ Ensure that the "Include all sites that bypass the proxy server" is checked.

✤ Click Advanced

✤ Add the URL for the Domino server http://dominoweb.turtlest.com and click OK twice. Or use a wildcard to provide the ability to connect to more than one SPNEGO-enabled Domino server in the domain *.turtletest.com

✤ Click Custom Level, scroll to the User Authentication section, select "Automatic logon only in Intranet zone," and click OK.

✤ Click the Advanced tab, scroll to the Security section, verify the option "Enable Integrated Windows Authentication (requires restart)" is selected.

Firefox Configuration

✤ Start Firefox and in the URL address box, type about:config

✤ In the Filter box, type network.n

✤ Double-click network.negotiate-auth.trusted-uris, and enter the URL http://dominoweb.turtletest.com or use a wildcard to provide the ability to connect to more than one SPNEGO-enabled Domino server in the domain http://*.turtletest.com or separate multiple entries with commas.

✤ Click OK and restart the browser.

Chrome Configuration

✤ Chrome uses the configuration settings from Internet Explorer

✤ Alternatively in Windows use Internet Options under Control Panel

Non SPNEGO Behaviour

✤ Users who don’t login to the Windows AD domain cannot use SPNEGO

✤ Once you configure the URL and web server for SPNEGO it can only be used by SPNEGO enabled clients and browsers

✤ There are programmatic tools available including DSAPI filters that will intercept the request and redirect it for non SPNEGO users

✤ Alternately non-SPNEGO users can be given a different hostname/URL to use

Multiple Sites / URLs

✤ For every hostname or site document that the web server responds to a SPN needs to be created

✤ This includes any load balancers

✤ Any server aliases that will resolve in URLs must also have SPN entries

✤ Remember only one SPN per hostname and that must correspond to the owning account of the Domino service

SPNEGO Support

✤ SPNEGO is supported for Domino web applications including iNotes

✤ but not Traveler

✤ SPNEGO is also supported inside eclipse for feeds, sametime, connections etc

✤ but not for Notes basic

✤ SPNEGO is not supported for Notes client access

Troubleshooting

✤ On Windows 7 and Windows Vista, SPNEGO is not functional for users who are members of the Administrators group when UAC is enabled. To use SPNEGO on these platforms, advise the client user to launch Notes with elevated privileges, disable UAC, or log in as a non-admin user.

✤ DEBUG_HTTP_SERVER_SPNEGO = 1

✤ http://www-01.ibm.com/support/docview.wss?uid=swg21394592