I'm using spnego http://spnego.sourceforge.net to make a single sign on on my system, the problem is that also typing the right password it will be prompt again and again.
Sometimes if you type it twice you can join the system, sometimes you need to type more than 10 times the same user and password until get access to the system.
After you are logged in to the system, the password can be prompted many times on random time, again and again and again.
Thanks in advance
I've not tried that specific spnego module yet, but I've encountered this issue before.
The issue with SPNEGO and two login prompts is often related to:
The application's login service is configured to allow both negotiate and basic:
WWW-Authenticate: Negotiate
WWW-Authenticate: basic
If Windows Native Authentication is enabled in Internet Explorer, but the Windows client fails to retrieve a Kerberos ticket for the service (for some reason), IE will
Prompt for login, but no matter what you write here it will send an NTMLSSP token using
Authorization: Negotiate
Authentication using the NTMLSSP token will fail and you'll get a secondary login prompt, which will be submitted using Basic
Authorization: Basic
Not sure why authenticating more than two times sometimes will let you in, though..
To investigate the problem further:
Check server log files (set java option -Dsun.security.krb5.debug=true and web.xml spnego.logger.level=1) for clues.
Check that the Windows client is logged on to domain.
Check that Windows Native Authentication is enabled in Internet Explorer.
Check that the website is added to local intranet sites in Internet Explorer (or available without using dot "." in the web site name).
Check that keytab, krb5.conf and login.conf is configured for your app server. (See spnego docs pre_flight and reference_docs)
Check that the principal name used in the keytab is the DNS A record and not a DNS CNAME record for your service.
An excellent tool for debugging web traffic is Fiddler2. Install and see what Internet Explorer responds to the authentication challenges (HTTP 401).
If Internet Explorer indeeds submits an NTMLSSP token, you might also want to use Wireshark and filter "Kerberos" traffic to see if your domain controller responds with a TGS-REP containing a Kerberos ticket for accessing your service.
If you're still out of luck, we'll might be able to help you further if you can make available all or some of
spnego configuration
Server logs (if anything relevant)
Fiddler2 trace
Wireshark trace
Øyvind
I found the problem.
The credentials was valid but it was from another domain ( I changed the domain but did not update the keytab file)
After fix the keytab the system never asked for a password anymore.
Thanks all !
Related
I have a webpage which demands for a SSL Certificate, then uses the SSL Certificates to autofill the username, then waits for the user to input the user password and click on a button to proceed to the application itself.
What I would like to do is to create a little Java application which is automatically logging the user passing Certificate, Username and password and then open the application in the default browser.
I was thinking of
1 - sending an initial GET request to collect the Session ID,
2 - send a POST request passing the Certificate, Username and Password
3 - open the requested secure webpage in a browser.
I know how to use a HttpsURLConnection to perform the first 2 steps, however I'm not sure if this workflow makes sense as I don't know how to perform step 3 once I am authenticated.
Is this the correct way of doing this?
Thank you all for all your help.
Hello everyone just writing this solution for those that have a similar problem as maybe they will have to struggle less.
We have a Cloud solution which requires UserName + Password + an SSL Certificate to login.
I wanted to have the possibility to open a specific page in a browser window passing a parameter without having to login and or having to select the Certificate from the list of available certificates.
So my initial approach was not working as I hoped, therefore I started watching into using Selenium to Open a the Web Page passing parameters.
It worked fine and I have configured the program to ask the username and password the first time the program is launched and save them in an encrypted file in the Windows user profile.
Only obstacle I still had was to automatically select the certificate out of the list of available certificates which is presented by the browser.
There are a lot of different posts about this issue, and the majority are not really scalable, until i found one solution: Chrome offers the possibility to set one specific Policy which is called "AutoSelectCertificateForUrls" which allows to specify one Certificate for a specific URL that is automatically selected. So I configured the installer to set this Parameter (needs to be set in the Windows Registry), and this did the trick.
Each Windows user will have his certificate stored in the Current User Certificate Storage and his/her credentials are stored for each user in the Windows User Profile.
The only limitation is that for the time being you can only specify the Certificate Issuer company (therefore if you have multiple certificates from the same company only the first certificate will work), but apparently the Chromium team is working on being able to filter on the "Subject" (this question also helped me with this:
Chrome AutoSelectCertificateForUrls Filter on Subject. I hope this helps others.
I have a web application in the intranet and the client which is already in the intranet and has been successfully login on his/her windows computer does not want to enter any login credentials again. I have met with Waffle. As I tried its samples, it provides SSO with windows credentials, this is a plus for me. But the thing is, I don't want my clients to enter their windows credentials again, they already have successfully login to their computer, so they want to access intranet web applications without entering any kind of credentials. Could Waffle do that? Or is it a must that user have to enter windows credential again?
From documentation, it is clear that Waffle supports what you are looking for.
You could use a Kerberos based system (NTLM + Kerberos)
As per Waffle's Documentation, Windows SSO ( NTLM or Kerberos) is what you are looking for. Also make sure that browsers of intranet users are configured as per "Configuring Browsers for Single Sign On"
Currently I have got a specific problem finding a solution and I am hoping you are able to provide
some light on the matter.
The Structure of the problem:
The task at hand is to gather a client's login credentials (token) and pass this to the servlet. However I cannot seem to find a good resource to do this. I have researched a wide variety of ways. I.e SPNEGO, WAFFLE etc..., However, these seem to require some sort of active directory by my understanding, I am trying to gather the credentials from the users local machine. A clear explanation or guidance to how I can gather the windows credentials to the servlet for my specific request would be appreciated.
Diagrams are always a better way of explaining so I will provide one if you are still confused:
Windows PC (Client) ------------------------> Java Servlet -------------------------------------> IIS Server
(windows authentication) --------------> (Get Credentials) -------------------- (Check Credentials & Authenticate)
(token) (pass credentials)
Thank you in advanced to anyone who replies, I really appreciate it!.
You are wasting your time. If you only take the credentials from the users local machine then you have no way of knowing if those credentials can be trusted. You might as well just give every user administrative access to your web application.
The reason active directory (or something like it) is required is that it is not under the control of the client and is trusted by the server. For example, when using SPNEGO, the client authenticates itself to the windows domain, the client gets a token from the windows domain that it can only get if it is authenticated, the client passes the token to the server, the server can then validate that token with the Windows domain to confirm that the client is indeed who they claim to be. (Not quite that simple but you get the idea.)
There are other ways to do this - e.g. with PKI - but they all have in common a central, trusted authentication system that the server can use to validate credentials provided by the client.
I've got two servers, lets call them server 1 and server 2. There is a web application on server 2, that, lets say, shows posts. This application is available on http://www.2.com/showPosts and everybody can access this page. This application also enables to remotely add posts. To do that you have to go to page http://www.2.com/addPost and fill a form.
What I'd like to do is to restrict access to this second page (/addPost) to only one single machine, that is server 1, so that only I can enter this page and fill this form, and everyone else gets 404. How to accomplish that?
edit:
Thank you for your answers. I've done some more reading based on them and now can make my question a little more precise. What I exactly need to do is to authenticate a client by server, whis is the opposite of one-way ssl authentication, where you authenticate a server by a client. I think that any kind of ip based authentication is way too weak and I need some kind of a certificate.
You could use a .htaccess file in the root directory:
<Directory AddPost>Allow from www.1.com</Directory>
This only lets www.1.com access the page. If AddPost is a file, use <Files AddPost></Files>.
Hope this helps!
Protect your http://www.2.com/addPost with a cerificate only present in the Browser on the one single machine.
ServletRequest#getRemoteAddr() returns you the IP of the client that sent the request. You could filter such requests by matching client's IP. For the other clients you can for example redirect to predefined 404 error page.
You can also restrict the addPost address to localhost-only, and establish an ssh tunnel for update purposes.
I suppose you are using Apache Web Server, then you can configure a virtual host and set an access rule to deny from all, allow from server1. Here the documentation.
If it is a Tomcat server you can define a filter in web.xml that will filter request only from allowed source.
I'm using WAFFLE to integrate a web server with Windows authentication.
When I visit the web server using the short hostname, the server is considered "trusted" by both Chrome and IE, and everything works as expected.
When I visit the exact same web server using the full hostname, the server is no longer considered "trusted" (which is crap, to be honest, as the IP address hasn't changed) and regardless of browser, I am prompted for the password (this is fine, the server isn't trusted.)
The problem is that even when I provide the correct password, it doesn't log me in. Instead, I get the same password dialog over and over.
If I visit from a browser on my Mac, I am presented with a login dialog and entering my password there results in successful login.
The difference between the two is that on Windows, the browsers are sending Authorization: Negotiate and on Mac OS X, they are sending Authorization: Basic.
The full header I'm seeing on the wire:
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
This decodes to "NTLMSSP\0....binary data...."
The binary data is not sufficiently large to contain my credentials or a hash thereof, so I'm led to believe that the browser asked for my password and then threw it away instead of using it to authenticate me.
There could be dozens of reasons. Start by troubleshooting negotiate.