Kerberos/SPNEGO authentication through Apache to Cherrypy - apache

We are wanting the ability to provide seamless single-sign-on into our web application. Our users are all using a modern version of IE and they will be accessing our website locally within an intranet, they will all be logged into Windows with AD accounts.
It seems that we can use integrated windows authentication to have the browser pass through the credentials, so this side looks fine.
But on the server side we have Apache 2.2 (hosted on Windows Server 2008+) with CherryPy sitting behind it - we use Rewrite rules to pass requests into CherryPy.
I have managed to find a windows compiled version of mod_spnego for Apache 2.2 (https://github.com/ibauersachs/mod_spnego) and I believe I have this configured in some way to authenticate the clients using their AD credentials.
However, we need to get these users details through to CherryPy somehow as we need to obtain further AD details over LDAP to apply permissions in our application (something that we already do but with simple username/password authentication first). This is where I have hit a dead end as I can't seem to find a way to do this.
I've seen various talk about the REMOTE_USER environment variable and suggestions for setting an extended header with the information we need in Apache but none of this seems to work.
Could anyone help me understand how to go about this? Apologies if I've not described everything correctly above, as I say I am new to Kerberos/SPNEGO and may be missing something obvious, or trying to overcomplicate things, potentially.

Related

Apache Fallback Authentication from GSSAPI to Mellon

I have an Apache server where users authenticate to a website through Kerberos/GSSAPI (mod_auth_gssapi). In the event of a user attempting to visit the site externally (not available on the network ldap server), I would like to fallback to SAML authentication (mod_auth_mellon), but am having trouble figuring out if this is even possible. I am managing the config for this in httpd.conf. Both work independently of each other.
I have seen a number of suggestions and threads, but nothing seems to work for me. The Mellon module github page recommends using a config to preemptively check for credentials, but in my case, credentials do not exist yet, and any IF statements executed would happen before I can retrieve them.
Essentially, I would like to do this:
User visits site
Apache checks for LDAP username credentials through Kerberos/GSSAPI
If Kerberos credentials do not exist, try to mauthenticate through SAML/Mellon
I do not know ahead of time which users' information will be available in my local AD server or attempting to access externally.
I would like to keep this on the Apache side if possible, though I may have to relent and run SimpleSAML or something after Apache authenticates.
I am expecting to have an authentication fallback of Kerberos to SAML in my Apache config. Currently, Apache defaults to the last authentication method listed in the config file. I would like an either/or scenario, depending on whether the first authentication method is able to obtain a valid user.
Any ideas, thoughts, solutions, criticisms appreciated.

SSO for web application hosted on S3

I have been scratching my head for a while now. Went through tons of documentations but everything seems very confusing. Please forgive if it appears to be a duplicate question, but believe me, the more content I find, the more its confusing me.
Below is the configuration of my project and what I need to achieve:
The project is a web based application developed using Spring framework with Java 8 that is hosted on S3(linux server). HTTP server used is Apache. JBoss is used as an application server and the exact version used is wildfly-8.2.0.Final.
Currently, the user enters his credentials which are validated against Microsoft Active directory using LDAP and is let in. The requirement now is that when the user logs into the machine using his AD credentials in his intranet environment, and he tries to open the application, he should directly log in and not prompted for credentials again. If he is outside his intranet network, the existing log in method should be followed.
While researching I found the below things I assume can be useful but not able to reach to a conclusion.
Kerberos along with Shibolleth: I went through below two references which somewhat matched with my requirement but not very sure am I looking at the right thing or not.
http://richardjohnson798.blogspot.in/2011/10/single-sign-on.html
http://gfivo.ncl.ac.uk/documents/UsingKerberosticketsfortrueSingleSignOn.pdf
My confusion revolves around the below things.
Is Shibolleth the right choice. If yes, what is the exact role of Shibboleth?
What things needs to be setup on the linux server(Kerberos implementation for example), and what changes would be needed in the client's AD environment?
Is the implementation possible on the Wildfly server? (as all the references have the thing implemented using Tomcat).
What are the security aspects I should be concerned about.
Help is much appreciated. Thank you.
Since you are using S3 I assume you are using AWS.
Go to IAM and add the Active Directory as a SAML provider
https://aws.amazon.com/blogs/mobile/announcing-saml-support-for-amazon-cognito/
Then use AWS Cognito Federated Identity Pool via the JavaScript SDK in the front end code you have hosted on S3.
http://docs.aws.amazon.com/cognito/latest/developerguide/using-amazon-cognito-user-identity-pools-javascript-examples.html

Seamless authentication for WCF calls against a authenticating proxy server using basic auth

I will state up front that this is a well discussed topic however I have been unable to find the answer I need. I have created a winforms app that makes WCF calls to a server. All works fine with no http proxy as well as an http proxy present (non-authenticating). I did no extra coding to achieve this since many problems with proxies were fixed after .NET 1.1. It just works by accepting the Internet Options (from IE). This is my primary goal. I want the proxy config to "just work" including authentication. Right now, proxy with auth fails. I do not want to programmatically specify credentials, server names, port, etc... It was pointed out here
How should I set the default proxy to use default credentials? that the following entry is needed:
<system.net>
<defaultProxy useDefaultCredentials="true" />
</system.net>
I've got this in my app.config but not having success. I'm using squid as my proxy server and I have it setup with Basic authentication. With this setup, I am forced to programmatically provide username/password (don't want this). I know how to do this and I can get it to work but that's not the point. I would like all settings to be discovered including my current credentials I used to authenticate with windows. The following has an interesting answer Web service calls and proxy authentication in the real world. It states that if IE had to prompt for username and password then so would my application. In fact, IE DOES prompt for username and password. I found good info here as well http://blogs.msdn.com/b/stcheng/archive/2008/12/03/wcf-how-to-supply-dedicated-credentials-for-webproxy-authentication.aspx. I'm going wrong somewhere. If Basic Auth is wrong, then what type of authentication would allow everything to "just work".
After more research, you really can't do what I'm trying to do across authentication protocols. The following MSDN page http://msdn.microsoft.com/en-us/library/system.net.credentialcache.defaultcredentials.aspx points that out. Understandably, basic auth if very old and not supported for calls to DefaultCredentails according to this page, but I'm deploying to users that might be running XP with older proxy servers. I will have to provide my user base with a manual method to configure user/password for basic auth with a proxy server. I believe what I'm trying to achieve is certainly doable with NTLM and Negotiate type auth methods. The bottom line is you have to manually provide user/password with basic auth with code like this:
WebRequest.DefaultWebProxy.Credentials = new NetworkCredential("user", "password123");

OAuth on a webapp behind a firewall -- is it possible?

I'm trying to construct a webapp to add events to an employee's google calendar and would like to use OAuth for authentication.
However, my webapp is forced to be on an intranet behind a firewall; the server has outbound internet access, but blocks in-bound access if you aren't on the intranet or VPNing into the intranet.
I'm reading up on OAuth, but can't figure out if part of the authentication-handshaking process would be blocked by my firewall. (And I'd like to know if its possible before spending time to implement if it isn't possible; and know so if I run into errors I can debug them).
To expand on planetjones's answer, as long as google can resolve the DNS for your application url oauth2 should work behind a fire wall. We had some issues getting getting oauth2 working behind our firewall because we were trying to use a non fully qualified domain name.
OAuth should work just fine over http, using POSTs and GETs and if your client can set the Authorizatioon header. The client should create all the requests and as long as it follows redirects this should be ok - there's never (to my knowledge) a case where an external server initiates an inbound connection.
For added confidence try OAuth with an existing third party service from behind your firewall to be sure. This looks like a good starting point and this is the definitive guide for following the flows of an OAuth call.

Web service calls and proxy authentication in the real world

We are developing an app that consists of a web server that hosts a web service (amongst other things) and a client that will be communicating with that web service. Both the client app and the server are expected to be used within a corporate firewall. This application will be packaged up and deployed to organizations across the world—so it needs to be flexible enough to work in multiple types of environments.
My question revolves around web service authentication and what is appropriate for real world scenarios. I know some companies have proxy servers that require a separate authentication. How often is this a requirement across organizations? When does the proxy server force the user to authenticate (can you access internal sites without authenticating.. is the authentication for only external sites)?
Reason I ask these questions, is I’m not sure what kind of capability we should build into our client application for authentication to the web service. By default, we are taking the current user credentials and passing that up to the server. Do you think this is sufficient? In a case where a company will require some form of alternate authentication for internal access, this will not work. My question revolves around this last case—how often does it happen? Why would a company force alternate credentials for internal access?
Thanks!
Why not make it configurable? Further, use WCF and you have the ability to configure just about anything you might need, in most cases without changing your code.
If Internet Explorer can reach a site through the proxy server without prompting the user, your call to the web service should "just work". If the user is prompted by IE, you'll need to put together a way to fill in the proxy server authentication information.
I've run into quite a few problems getting web services rock solid, but never had a proxy server authentication issue.