What is an spnego Token? - authentication

Sorry if the spelling is completely wrong. What the heck is one? Why is it preventing me from authenticating via Mozilla? Why would someone force me to use one to authenticate from a command line tool? How is it tied to the back end being implemented in Silverlight?

SPNEGO Simple and Protected GSSAPI Negotiation Mechanism is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms.
SPNEGO's most visible use is in Microsoft's "HTTP Negotiate" authentication extension. It was first implemented in Internet Explorer 5.01 and IIS 5.0 and provided single sign-on capability later marketed as Integrated Windows Authentication. The negotiable sub-mechanisms included NTLM and Kerberos, both used in Active Directory.

Related

Authenticate users using LDAP for SSO

So i'm tasked with implementing SSO for our Windows application. Currently, after a user logs into the machine, he or she has to re-log in to our app when he or she loads the application. The application validates the user by querying a LDAP server.
What we're looking to have is for the user to automatically be logged into the app when they click on it. My understanding is that the LDAP authentication must still happen, but Im not exactly sure what the workflow would be, and how exactly we can validate a user without requiring them to re-enter a username / password. Note that this is not a web application so I can't use tools like SAML or OAuth (unless i'm mistaken about this too..?)
So my specific question is as follows:
Is it possible to use LDAP for SSO, and if so, how? Is it possible for me to authenticate a user with just his or her username, or is a password also required?
Any guidance would be appreciated, and am happy to provide further clarification if needed.
First of all, LDAP is a protocol, which you use to communicate with databases that implement this protocol.
So LDAP databases (commonly called directories) are ... databases and so do not provide SSO functionality.
To deploy a SSO solution, you need a SSO service. All your applications will have to be "compliant" with this service in a way or another.
The only way I can think of to make a "Windows SSO" without adding a third party application is that the applications can retrieve NTLM informations in requests made by the client and uses the user data to identify him. (but in term of security, I let you judge what you think about it ;) ) . See this php example
Some LDAP implementations, including OpenLDAP, provide some level of support the Generic Security Service Application Program Interface (GSSAPI) or SPNEGO (a specific GSSAPI implementation)
Although not trivial, it is possible to perform SSO from a "browser" that supports GSSAPI. AFIK, IE, Firefox, Safari and Chrome all provide some level of support for GSSAPI although each browser requires specific configuration (typically whitelisting of Servers).
There are many SSO Products that implement these features in a "probably" more secure and easier process than doing it yourself.
There are many known vulnerabilities details that have been exploited with GSAPPI/SPNEGO typically due to implementation issues.

IMAP authenticate vs login

IMAP servers may, according to RFC 3501, supports these (and other) commands:
LOGIN
AUTHENTICATE "PLAIN"
Questions
Is there a reason to use one above the other?
Is there a reason to support other AUTHENTICATION mechanisms when TLS is used?
Almost all servers support LOGIN, which is the basic baseline version to authenticate.
AUTHENTICATE is an extensible generic command, which could support any SASL* authentication mechanism, or custom methods.
I would use login where available because it's a simpler command (no base64 or continuation responses).
Reasons to use AUTHENTICATE: supporting SSO or OAUTH scenarios, which have different requirements then just a username or password.
For example, to integrate well with GMail, OAUTH2 is the preferred mechanism, which has a custom AUTHENTICATE method.
*SASL is the Simple Authentication and Security Layer, which is a metaprotocol for authentication, described currently in RFC 4422.

Log in WSO2 Identity Server (IS) with Kerberos authentication

I would like to authenticate automatically to wso2 IS with a kerberos ticket obtained from kerberos authentication (using Windows server 2K12 as KDC).
I didn't find any information related to kerberos authentication on WSO2 documentation. The list of all handled are defined here : https://docs.wso2.com/display/IS460/Managing+the+Identity+Server.
The one that is closer to kerberos authentication is the "integrated windows authentication".
Have I missed the documentation page or is it impossible to authenticate with this methods ?
I think I should go with https://docs.wso2.com/display/IS500/Creating+Custom+Authenticators but not sure about it.
Thanks.
I think, you basally need the window authentication? It means once you login to windows machine, you can access the service protected with Identity Server by default. In IS 5.0.0 version, you can find IWA authentication that can be used for external application authentication and login to WSO2IS management console. There is some aricle that explain about this. Please refer it from here you can use it.
Yes. you can plug custom authenticator.. But i guess IWA can help you to achieve this.

Is there a javascript or response header to log an NTLM user out in a browser?

I've written a couple of asp .net HTML applications designed for use on small blackberry devices. The BB OS versions are from 4.6 to 5.0.
The sites use Windows authentication to log the user in. Is there a way to allow the user to logout of the applications so that any further revisit will prompt them for the NTLM credentials again?
Thanks,
Brian.
If you are using an MDS proxy it's that handling the NTLM authentication to the end server. You will likely be using basic authentication between the phone and proxy.
There isn't an MDS API that will tell it to re-authenticate. The best you can do via MDS is bypass authentication all together but then you will need to manage NTLM yourself:
What is the correct header value to bypass MDS HTTP authentication?
Another option is to write your own logout API on your .NET application which deletes your session cookie. That way MDS will be forced to re-negotiate NTLM at the next attempt.
note: The bypass option is available in Enterprise Server 4.1.7 and above, it's not available in the simulator.

Tomcat authentication using SPNEGO/Kerberos and delegation

Is there an apache module that implements Kerberos authentication for use by Tomcat and also supports Kerberos delegation?
I've already looked at mod_spnego and it throws away the SSPI context it creates only keeping the principal name. Instead, I'm looking for a module that would allow for the delegation of the ticket sent to Tomcat - that is, taking the service ticket sent for authentication and using it server side to access another service on behalf of the user.
EDIT: To clarify, I need to impersonate under Win32 using the GSS/SSPI context so when legacy code connects to another server, the delegated credentials are used.
WAFFLE (Windows Authentication Functional Framework) now provides that feature starting from v1.4beta.
It provides a ServletFilter that uses native Windows APIs to authenticate the user, either using Basic or Negotiate authentication. The user then can be impersonated, and native APIs calls will be performed with the access token of the impersonated user.
How about using the JAAS realm and using the kerberos 5 JAAS module?
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JAASRealm
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
Looks like it might require a little coding, but the pieces should be there.
Here's a http://spnego.sourceforge.net/credential_delegation.html tutorial. It implements Kerberos/SPNEGO as an HTTP Servlet Filter and supports credential delegation.