It is possible to make kerberos module for Apache server who is on windows? I understand that i need to make dll file from some source, but how?
Thank you.
Try http://modauthkerb.sourceforge.net/
Mod_auth_kerb is an Apache module designed to provide Kerberos authentication to the Apache web server. Using the Basic Auth mechanism, it retrieves a username/password pair from the browser and checks them against a Kerberos server as set up by your particular organization. The module also supports the Negotiate authentication method, which performs full Kerberos authentication based on ticket exchanges, and does not require users to insert their passwords to the browser. In order to use the Negotiate method you need a browser supporting it (currently standard IE6.0 or Mozilla with the negotiateauth extension).
Related
I'm new on the world of load balancing...
I heard about HAProxy and I wonder if I can achieve this objective (not found yet over searches already done):
HAProxy receive a MQTT/HTTP connection with basic authentication
(login-password) or token based
HAProxy checks credentials from a Database (or
LDAP)
HAProxy manage the access depending on the authenticated User.
--> all of user/credential and ACL should be stored in Database.
Is this possible? Is there in HAProxy a system of custom plugin/add-on to enhance its behavior ?
I found things about settings list of ACL directly in the configuration with already existing list of login/password (but not dynamically even if cached after)
Thanks a lot for your ideas.
I think this is only supported in Enterprise Haproxy:
The HAProxy Single Sign-On solution [...] is also compatible with Microsoft Active Directory or OpenLDAP servers.
https://www.haproxy.com/documentation/hapee/1-8r1/security/using-sso/
The only plugin I found is a http request check to see if user is authenticated on an arbitrary endpoint:
https://github.com/TimWolla/haproxy-auth-request
But it requires a specialized web app responding the requests for that.
Is it possible to use http 1.1 digest access authentication instead of basic access authentication when restricting access to a website with nginx?
I mean this in a similar fashion as on the nginx guide.
You can use the ngx_http_auth_digest module.
That module is not standard yet so you'd have to install it.
I have a web application which is developed using vb.net.
My web application uses Windows authentication mode.
Security team scanned the application and reported one issue.
Steps followed to produce the issue:
1. Type the url in browser (url - https://sample/applicationname) and press Enter
2. Analyze the response using proxy tool 'Fiddler' - which shows that authentication method in NTLM which is insecure.
Recomendations given by security team:
Change authentication method to a more secure one such as Digest, client certificates or similar. Otherwise use an encrypted channel to protect information by implementing HTTPS.
Note: HTTPS is already implemented.
Kindly let me know how to solve the issue.
Thanks in advance.
Digest is less secure than NTLM, so you may want to mock your security team. Digest uses MD5 (in a weak manner) and requires reversible passwords. If you really want to go more secure than NTLM, your may want to configure kerberos. The options vary depending on your version of IIS. Google will have your answer.
I would like to support a multi-tenant rails application with conditional support for Kerberos authentication by tenant.
The examples I've seen with mod_auth_kerb assume the apache server will reach out directly to the KDC for validating the ticket. In my case, I would like the server to have the client browser negotiate w/ the KDC and provide the appropriate ticket. I believe this is done by returning a 401 w/ www-negotiate header and the client browser will then call back with the ticket. The apache server would then just validate the ticket against the appropriate keytab. My understanding is I will need a keytab from each domain that will support Kerberos auth.
So, I think I can easily provide an "/auto_login" route that Apache then enforces Kerberos on. However, I'm not quite sure how to have Apache choose the right keytab; e.g. if I hit /auto_login?client=abc to validate against ABC's keytab.
I currently use Devise. A custom strategy: Devise ignoring custom strategy would be nice, but it seems I have the same issue in configuring the Krb5 gem (unsupported now?) to handle multiple keytabs and determine which to validate against.
How many distinct realms do you have? mod_auth_kerb works fine with multiple realms, as long as their KDCs are capable to validate trust relationship and issue cross-realm TGTs, and your krb5.conf configuration does proper mapping to those realms.
If you are able to establish cross-realm trusts between the realms, then the problem will be already solved -- just specify all accepted realms in mod_auth_kerb's configuration:
KrbAuthRealms CUSTA.COM CUSTB.COM WHATEVER.COM
I would like to use NTLM authentication with Tomcat so that Iexplorer send automatically both the user id+pwd to webapp. Is this possible?
With "BASIC" authentication IE pops up the usual pwd dialog but I want to skip this dialog. ( Note, I use JNDIReal/ldap)
Yes, it's now possible with Waffle Tomcat Authenticator that supports Negotiate (NTLM v1, v2, etc., and Kerberos).
Tutorial:
http://code.dblock.org/ShowPost.aspx?id=103
Waffle:
http://dblock.github.io/waffle/
Waffle works on windows server only
Yes it is. The Tomcat Wiki references a documentation about Samba code that enables Tomcat to do NTLM authentication.
The Samba community implemented a Servlet filter that allows to athenticate users agains a domain controller.
Alternatively, if you're on a Windows server, you can have IIS do the authentication and redirect requests to Tomcat. Here's the documentation: http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
JCIF is now (2011) deprecated (does not support NTLM v2).
JESPA is not free but may work out for you
Waffle is windows server only
You may want to check out UnboundID's LDAP solution www.unboundid.com/products/ldapsdk/
Haven't tried it yet but seems like a compromise.
Here is a quick comparison between UnboundID SDK, JNDI and Netscape SDK: www.unboundid.com/products/ldap-sdk/docs/advantages/comparison.php . It may be biased since it's on unbound's website but hey, gives you a good idea why you might consider it.
people from the JCIFS project (the one reerenced in mkoller's answer) says that the solution they provide is not compatible with NTLMv2...
http://jcifs.samba.org/src/docs/ntlmhttpauth.html
you should check http://www.ioplex.com/jespa.html, which is not free...
I have used JCIFS, Waffle and IIS side by side.
JCIFS does not support NTLM v2, sometimes prompts users
Waffle support NTLM v2, but sometimes prompts user
IIS is the only solutio where promptless NTLM authentication works 100% of the time