I just spent several days having a terrible time with desktopsso. I have worked through my issues and as I did not find any solutions in the forums I thought I would post this.
General info
Our environment has external <outside the FW> and internal <inside the FW> users.
External users are not logging onto a desktop on the AD domain.
Internal users are.
Currently all users have a user in the AD domain and AM authenticates against AD.
The Login method for users is Username and Password.
Our AD has 2 "tiers" We are interested in.
top.hill.com
near.top.hill.com
We use AM 7.1 patch 1 and DS 6 All servers are running windows 2003 r 2
the AM servers are members of the top.hill.com AD domain. there are 4 of them
am01 am02 am03 am04.top.hill.com
Sun Directory servers are the same way
dir01 dir02 dir03 dir04.top.hill.com
those are the real hostnames of those systems this is important as apparently kerberos does not like dns aliases.
Users access Access Manager services via
http://am.hill.com/amserver/UI/Login
this is just a DNS name pointed to the external interface of the Load Balancers. All traffic currently goes through there all agents are configured to use that for the LoginURL etc ...
So internal and external users all use that URL through the external interface of the LB.
So desktop SSO
Fun
steps.
all machines are already present in AD as they are joined to the the top.hil.com domain.
find each of those systems in AD and right click on them go to properties. Check the little box that says "Trust Computer for delegation" OK it and ok the resulting scary warning.
Reboot all of the AM machines after doing this.
install the support tools from the windows CD on your DC for top.hill.com if they are not already installed.
you will need the kpass utility to make this work.
Create a User for each host in the Users tree of top.hill.com
AM01
AM02
AM03
AM04
add them each to the administrators group and set password to never expire.
on the dc in a command window
create a working directory someplace and CD into it.
As a domain admin for top.hill.com you have to do this. that should be obvious but hey ...
cd into that directory
then run the following substituting your values obviously
you will do this for each host substituting the AM0X with your hostname.
So a total of 8 command for me.
This generates files in your working directory. These will get copied to each of your AM hosts.
On each AM host create a directory to hold the keytab files
I did it on c:\etc\keytab you will referance the path to this in the Auth modules.
copy all the files you created on the DC to that directory on everyhost.
configure 4 new desktopSSO authentication modules
I named mine
desktopAM01 desktopAM02 desktopAM03 desktopAM04
save all the time as the console is such fun each change click save
once they are created configure each of them something like this
this should take your directly to your successpage without prompting for a username password set.
Once all four work
I setup a link on the login pages of each with a distinct hostnamed URL
"internal Users Login Here" thish points to the above link + a goto
http://am0X.top.hill.com/amserver/UI/Login?module=desktopAM0X&goto=dynamicallygeneratedurlfromtheoriginalrequest
4 holes are configured on the external LB for each am host and the associated hostnames are published externally.
not pretty but i think this is the only way to get it working.
If anyone Knows of a way to get this working using a dns alias such as
AM.hill.com .... which has no associated host or a DC at that level please let me know.
The setup sounds great, I thought with a couple changes you could make the "select an authenticator" page disappear and get the windows desktop sso using the load balancer address on the single keytab.
I have a similar internal (desktopsso) external (other module) configuration. We use the CDSSO and I configured the com.sun.am.policy.agents.config.cdcservlet.url property to a CGI script, e.g.
The CGI script has a list of internal subnets and redirects to an internal URL with Windows Desktop SSO url with the rest of the parameters if the client IP address matches one of the internal subnets list. If the source IP address matches does not match an internal subnet, then it is external, and redirected to a distauthUI for password/PKI authentication.
If you're not using CDSSO you can modify the com.sun.am.policy.am.login.url property with a cgi script.
The internal web server configuration was modified so the 401 unauthorized response sends an HTML page, that with some javascript redirects to a password module (with all the cdsso parameters from the request) for the non-windows domain systems that are internal.
The internal URL is on a load balancer with a dns record for identity.tcipip.com. The SPN is setup in the domain, HTTP/identity.tcipip.com@AD.TCPIP.COM with the corresponding key in keytab format on both the access manager instances.
Here's a snippet of the jumper, not promising it won't run without some modification:
use CGI;
use URI::Escape;
use Net::Netmask;
# The internal URL that is configured with desktop SSO
my $internal_auth_url = "https://identity.tcpip.com/amserver/cdcservlet";
# The external URL, that is the distAuthUI server
my $external_auth_url = "https://access.tcpip.com/distAuth/cdcservlet";
my @internal_proxies = ();
# List of IP addresses considered "local" and so capable of doing desktop sso.
push(@internal_proxies,new Net::Netmask('10.10.0.0/16'));
my $cgi = new CGI;
# Redirect to this service chain if the client is not "Local"
my $service = "external";
my $debug = 0;
my $remote_host = "";
my $lb_client = "";
my $redirect_url = "";
$remote_host = $cgi->remote_host();
# Sometime the load balancer is the real client, but a header is populated with the real client
$lb_client = $cgi->http('LB_CLIENT');
my $target = $cgi->param('goto');
if ($lb_client) {
$remote_host = $lb_client;
}
my $query_string = $ENV{'REQUEST_URI'};
$query_string =~ s#^/cgi-bin/amjumper.cgi\?##;
foreach my $ip (@internal_proxies) {
if ($ip->match($remote_host) and (!($fake_external_auth)) ) {
$redirect_url = $internal_auth_url . "?" . $query_string;
if ($debug) {
print "<p>";
print "will redirect to:<br>\n";
print "<tt>", $redirect_url, "</tt><br>\n";
print "</p>";
}
else {
print $cgi->redirect(-uri => $redirect_url);
}
exit(0);
}
}
$redirect_url = $external_auth_url . "?service=${service}&" . $query_string;
if ($debug) {
print "<p>";
print "will redirect to:<br>\n";
print " <tt>", $redirect_url, "</tt><br>\n";
print "</p>";
}
else {
print $cgi->redirect(-uri => $redirect_url);
}
That is an interesting Idea might be able to do something with this.
I am not sure what the LB is doing to the traffic coming into the am.
Maybe a lava script would suffice on the login page to force the users through the appropriate auth module.
if myip == LIST do ; loginvia module,
Interesting.
The multiple auth modules are messy but function.
I could not get any aliased token to work
I made one for am.top.hill.com and tried using that url it always gave me a kerberos token error about the user not being found when i used it.
There is an appropriate user and machine created in the top.hill.com domain.
any ideas on that?
I am not exactly a kerberos genius obviously.
Another issue is the service url is am.hill.com no domain controller at that level here. top.hill.com is the top of the tree here.
the desktopssoam0X modules are not configured in the user auth chain so it is not an issue for external users. they just hit the login page. so no 401.
Thanks for replying i was thinking I was the only man on earth for awhile :)
I added this into the head section of the Login.jsp
It checks to see if you are looking for the console and lets you in without rerouting through desktop sso.
If you are not looking for the console and your hostname matches the string check to top.hill.com it sends you through desktopsso and then onto your goto.
If your hosname does not match the string check then you just get the Login page.
Now I just need to get the module to be configured with a dns alias token
am.top.hill.com
Any ideas???
The am.top.hill.com should be an A-record entry in DNS, not an alias. Firefox will only use the canonical dns record to retrieve a ticket from the authentication service.
1. Create a principal in the realm for am@top.hill.com
2. You should be able to create an entry in your domain. It appears the NT Domain is TOP and the kerberos realm is TOP.HILL.COM:
From a shell prompt, you should be able to use a configured client to get credentials from the domain:
kinit HTTP/am.top.hill.com@TOP.HILL.COM
and enter the password from ktpass (pAsSwOrD).
The keytab file generated in am.http.keytab is the keytab for use.
yes it should. In the environment I setup WindowsDesktopSSO in we configured one keytab file for the virtual hostname (am.xyz.com) and copied that keytab file to all the AM servers behind the load balancer and then configured an instance of the WindowsDesktop module to use it. Since the AM server configuration stores were configured with multimaster replication the exact same config was used on all the servers. Of course if the load balancer was bypassed and the server access directly by their hostname WindowsDesktopSSO failed but that was not a problem for us.
Ok so the service inits ok now using the am.hill.com
but I am getting this error for user auth.
I am thinking because there is no am.hill.com machine that has delegation.
And there cannot be one as their is no domain controller at that level....
01/20/2009 08:52:11:780 AM EST: Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]
token tag:60
01/20/2009 08:52:11:780 AM EST: Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]
SPNEGO OID found in the Auth Token
01/20/2009 08:52:11:780 AM EST: Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]
DerValue: found init token
01/20/2009 08:52:11:780 AM EST: Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]
DerValue: 0x30 constructed token found
01/20/2009 08:52:11:780 AM EST: Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]
Kerberos token retrieved from SPNEGO token:
60 82 04 b2 06 09 2a 86 48 86 f7 12 01 02 02 01
CUT
cb f9 42 ff ab b2 f6 b7 d1 c1 15 9f c6 5f c9 ac
fd 7a e3 97 06 53 8c ef 98 d7 50 6d 43 46 bd 0c
97 2c 77 72 1e f1
01/20/2009 08:52:11:780 AM EST: Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]
In authenticationToken ...
01/20/2009 08:52:11:780 AM EST: Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]
Context created.
01/20/2009 08:52:11:780 AM EST: Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]
Authentication failed with generic exception.
You can verify which tickets the clients are getting. On linux ((if the nego config is configured) just type:
kinit <principal>
start up firefox
authenticate, to the web site, then run klist to show what tickets you have in your cache.
The client gets the appropriate ticket for am.hill.com which looks exactly like the working token for am01.top.hill.com the menu properties for each match up perfectly excepting name of course.
Email this Topic
Edit this Topic
Helpful
