Configuring Basic Windows Desktop SSO Authentication

The following is an overview of steps you must complete to achieve single sign-on using the OpenSSO Enterprise Windows Desktop SSO Authentication module:

1. Configure a Kerberos Domain Controller in Windows or UNIX.

2. Synchronize OpenSSO Enterprise and the Kerberos Domain Controller Clocks.

3. Configure DNS (Windows Platform Only)

4. Configure a Windows XP Workstation to join the Kerberos Domain Controller Realm if the Kerberos Controller is on UNIX.

5. Configure an Windows XP Workstation to join an Active Directory Domain Controller if the Kerberos Controller is on Windows.

6. Create the Windows XP User's Local Account.

7. Configure an Existing Windows XP Workstation to join an Active Directory Controller Domain if the Kerberos Controller is on Windows.

8. Configure an Existing Window XP Workstation to join a UNIX Kerberos Domain Controller Domain if the Kerberos Controllers is on UNIX.

9. Configure the Browser.

10. Configure the OpenSSO Enterprise Windows Desktop SSO Authentication Module.

The basic configuration instructions described in this document are based on the components described in the following table.

Table 18–1 Components Used in the Configuration and Setup Examples

Component	Product Name	Platform	Host Name
OpenSSO server	Sun OpenSSO Enterprise 8.0	Solaris 10 SPARC	opensso.example.com
Windows Domain Controller	Windows 2003 Domain Controller	Windows 2003	domaincontroller.example.com
Kerberos Domain Controller (KDC)	Not applicable	Solaris 10 SPARC	kerberos.example.com
Windows XP client	Windows XP SP3	Windows XP	winXP.example.com

Configuring a Kerberos Domain Controller on Windows or UNIX

The Kerberos Key Distribution Center issues security keys, also called tickets, for authentication. A Kerberos domain controller recognizes the tickets issued by the Key Distribution Center, and extends Kerberos authentication to multiple resources within an intranet. A Kerberos domain controller must be running on a UNIX system, or on a Windows 2000 or Windows 2003 system that supports the Kerberos Domain Controller within the intranet. Microsoft Windows Active Directory and a Windows Domain Controller together form the Windows equivalent of the UNIX Kerberos domain controller. An administrator can use the Active Directory Domain Controller wizard to create a domain controller realm on a Windows server host. Once the administrator completes creates a working Kerberos realm, both Windows and Unix computer systems can participate as clients in the single sign-on environment. The following instructions are included in this document:

For detailed information about installing and configuring Kerberos components, see the Kerberos V5 Installation Guide and the Kerberos V5 Administrator's Guide .

To Configure a UNIX Kerberos Domain Controller

Edit the krb5.conf and kdc.conf files to specify where and how the Kerberos Domain Controller is running.

1. Modify the krb5.conf file.

   For detailed information about the krb5.conf, see the Kerberos V5 Administrator's Guide.

   Example:

   [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false default_keytab_name = /etc/krb5/krb5.keytab default_realm = DEMO.IDENTITY.COM default_tkt_enctypes = des-cbc-md5 default_tgs_enctypes = des-cbc-md5 default_checksum = rsa-md5 kdc_timesync = 0 kdc_default_options = 0x40000010 clockskew = 300 check_delegate = 0 ccache_type = 3 kdc_timeout = 60000 [realms] DEMO.IDENTITY.COM = { kdc = demo1.identity.com:88 admin_server = demo1.identity.com:749 default_domain = identity.com } [domain_realm] .identity.com = DEMO.IDENTITY.COM identity.com = DEMO.IDENTITY.COM [appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000d forwardable = true krb4_convert = false }

2. Modify the kdc.conf file.

   For detailed information about the kdc.conf file, see the Kerberos V5 Administrator's Guide.

   Example:

   [kdcdefaults] acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab v4_mode = nopreauth [realms] DEMO.IDENTITY.COM = { master_key_type = des-cbc-crc supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfourhmac: onlyrealm des3-hmac-sha1:normal des-hmac-sha1:normal des-cbcmd5: normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 }

3. Create the Kerberos Domain Controller database using the kdb5_util command.

   This database will store information about all the principals and associated secrets contained in the realm.

   Example:

   /etc/krb5/% kdb5_util create -s Initializing database '/var/krb5/principal' for realm 'DEMO.IDENTITY.COM', master key name 'K/M@DEMO.IDENTITY.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:

4. Create a new user account.

   1. Add a user principal with kadmin.localcommand.

      # kadmin.local Authenticating as principal admin/admin@DEMO.IDENTITY.COM with password. kadmin.local: addprinc demouser1 WARNING: no policy specified for demouser1@ DEMO.IDENTITY.COM; defaulting to no policy Enter password for principal "demouser1@ DEMO.IDENTITY.COM ": Re-enter password for principal "demouser1@ DEMO.IDENTITY.COM ": Principal "demouser1@ DEMO.IDENTITY.COM " created.

   2. Verify that the user account is added correctly to the database.

      Authenticate the user to the Kerberos domain. Example:

      # kinit demouser1 Password for demouser1@ DEMO.IDENTITY.COM:

   3. Validate the user's Kerberos ticket in the ticket cache.

      # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: demouser1@ DEMO.IDENTITY.COM Valid starting Expires Service principal 06/22/07 11:10:16 06/23/07 11:10:16 krbtgt/ DEMO.IDENTITY.COM @ DEMO.IDENTITY.COMM

5. Create a new user account for the Kerberos service user.

   1. Add a service principal for OpenSSO Enterprise.

      Example:

      # kadmin.local: addprinc -randkey HTTP/amserver.identity.com WARNING: no policy specified for HTTP/amserver.identity.com@DEMO.IDENTITY.COM; defaulting to no policy Principal "HTTP/amserver.identity.com@ DEMO.IDENTITY.COM" created.

   2. Generate a keytab file for OpenSSO Enterprise.

      # kadmin.local: ktadd -k amserver1.HTTP.keytab HTTP/amserver.identity.com Entry for principal HTTP/amserver.identity.com with kvno 4, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:amserver1.HTTP.keytab. Entry for principal HTTP/amserver.identity.com with kvno 4, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:amserver1.HTTP.keytab. Entry for principal HTTP/amserver.identity.com with kvno 4, encryption type DES with HMAC/sha1 added to keytab WRFILE:amserver1.HTTP.keytab. Entry for principal HTTP/amserver.identity.com with kvno 4, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:amserver1.HTTP.keytab.

   3. Verify that the Kerberos service account is added correctly to the database.

      Use the kinit and klist commands to validate the Kerberos service account. Authenticate the service principal to the Kerberos domain with the keytab file. Example:

      - # kinit ?k ?t amserver1.HTTP.keytab HTTP/amserver.identity.com

   4. Validate the keytab file for the Kerberos service principal.

      Example:

      # klist -k amserver1.HTTP.keytab Keytab name: FILE:amserver1.HTTP.keytab KVNO Principal ------------------------------------------------ 4 HTTP/amserver.identity.com@DEMO.IDENTITY.COM 4 HTTP/amserver.identity.com@DEMO.IDENTITY.COM 4 HTTP/amserver.identity.com@DEMO.IDENTITY.COM 4 HTTP/amserver.identity.com@DEMO.IDENTITY.COM

To Configure Windows Active Directory and Domain Controller

1. Log in as an administrator to the Windows 2000 or 2003 server host.

2. From the Start menu, go to Administrative Tools > Manage Your Server.

   1. On the Manage Your Server wizard, choose Adding Roles to Your Sever.

   2. In the Server Role window, choose Domain Controller (Active Directory).

   3. Accept the default values by clicking Next.

   4. Continue to accept the default values and clicking Next until the Report DNS Issue window is displayed.

   5. This window is displayed when no properly configured DNS exists for Active Directory. Choose “Install and Configure DNS” to proceed to the next window.

   6. Continue to accept the default values and clicking Next until the Summary window is displayed, then click Next.

      The Active Directory Installation wizard is invoked.

3. Install the Active Directory Domain Controller.

   For detailed instructions, see Install Active Directory Domain Services on the Windows Server 2008-Based Member Server

4. Install Windows Support Tools.

   Windows Support Tools contains the ktpass Kerberos tool you need to map a service principal with an Active Directory account. For information about ktpass, see the Ktpass Overview. For detailed instructions on installing Windows Support Tools, see How to install the Windows 2000 Support Tools to a Windows 2000 Server-based computer.

5. Create a new user account.

   1. From the Start menu, go to Programs > Administration Tools.

   2. Choose “Active Directory Users and Computers.”

   3. Enter a user name and password for the new user, and create the user.

   4. Verify that the Kerberos ticket is returned by the Kerberos Authentication Server properly.

      Log into the new domain account from any Windows XP workstation belonging to the domain. You can use the Windows Support Tools to verify that the Kerberos ticket is returned by the Kerberos Authentication Server and cached into the ticket cache. For information about Windows Support Tools, see Windows Support Tools.

6. Create a user account to map to the Kerberos service.

   1. From the Start menu, go to Programs > Administration Tools.

   2. Choose “Active Directory Users and Computers.”

   3. Crete a new user with a name that is meaningful to you.

      In this example, the name is openSSOhost.

   4. Use the ktpass command to associate this user account with a service principal.

      Example:

      C:\Documents and Settings\Administrator>ktpass /pass password /mapuser openSSOhost /princ HTTP/openSSOhost.identity.com@OPENSSOHOST.EXAMPLE.COM +DesOnly /ptype KRB5_NT _PRINCIPAL /Target OPENSSOHOST.EXAMPLE.COM Using legacy password setting method Successfully mapped HTTP/openSSOhost.example.com to openSSOhost. Key created. Account openSSOhost has been set for DES-only encryption.

      If OpenSSO Enterprise is configured with Java version 1.5_ 08 or higher, you don't need to specify the +DesOnly parameter here.

   5. Export the keytab file and copy it to the system where OpenSSO Enterprise is installed.

      Example:

      C:\Documents and Settings\Administrator>ktpass /out demo1.HTTP.keytab /princ HTTP/demo1.identity.com@DEMO.IDENTITY.COM /ptype KRB5_NT_PRINCIPAL /crypto DES-CBC-CRC /Target DEMO.IDENTITY.COM NOTE: creating a keytab but not mapping principal to any user. For the account to work within a Windows domain, the principal must be mapped to an account, either at the domain level (with /mapuser) or locally (using ksetup) If you intend to map HTTP/demo1.identity.com@DEMO.IDENTITY.COM to an account through other means or don't need to map the user, this message can safely be ignored. Key created. Output keytab to demo1.HTTP.keytab: Keytab version: 0x502 keysize 70 HTTP/demo1.identity.com@DEMO.IDENTITY.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x1 (DES-CBC-CRC) keylength 8 (0xa1c4e6203e3b0d34)

      If OpenSSO Enterprise is configured with Java version 1.5 or higher, you don't need to specify the /crypto DES-CBC-CRC parameter here.

      You can test if this keytab file will work for OpenSSO Enterprise by using the Windows Support Tools, and specifying the /crypto DES-CBC-CRC parameter.

To Synchronize the OpenSSO Enterprise and Kerberos Domain Controller Clocks

Set the clocks on the OpenSSO Enterprise host and on the Kerberos Domain Controller host so that they both display the same time. Without time synchronization, the OpenSSO Enterprise Windows Desktop SSO Authentication module may fail to authenticate to the Kerberos domain.

Configuring the Domain Controller

Depending upon the domain controller you are using, do one of the following:

• Configure DNS Mapping on the Windows Domain Controller

• Configure a Windows XP Workstation to Join the Kerberos Domain Controller Realm

Configuring DNS Mapping on the Windows Domain Controller

• Configure valid forward and reverse DNS mapping for the computer systems in your domain.

  For example OpenSSO Enterprise and the Kerberos Domain Controller must have proper A (IP-Name lookup) and PTR (Reverse IP-Address lookup) records in the DNS database.

• If you use the /etc/hosts file instead of using DNS, all host names point to real, network-accessible IP addresses.

  For example, if the IP address for host1.example.org is 15.168.120.15, then the /etc/hosts file should contain the following entries:

  127.0.0.1 localhost openSSOhost 15.168.120.15 openSSOhost.example.com openSSOhost

Configuring a Windows XP Workstation to Join the Kerberos Domain Controller Realm

A Window XP workstation must be configured to work with a UNIX Kerberos Domain Controller or Windows 2003 Domain Controller. You can add the workstation to the Kerberos or Windows Domain Controller when installing Windows XP, or when modifying the network configuration that already exists on the Window XP workstation.

• To Configure an Windows XP Workstation to Join an Active Directory Domain Controller During Installation

• To Configure an Existing Window XP Workstation to Join a UNIX Kerberos Domain

To Configure an Windows XP Workstation to Join an Active Directory Domain Controller During Installation

1. Follow the instructions in How to install or upgrade to Windows XP to start the Windows XP Setup wizard.

2. Follow the onscreen instructions in the Windows XP Setup wizard until you get to the “Workgroup or Computer Domain” window.

   • Enter the Active Directory domain you want the Windows XP workstation to join, then click Next.

   • If the Windows XP Setup wizard cannot find the domain controller for this domain, enter the IP address of the domain controller in the Internet Protocol (TCP/IP) Properties window.

     1. From the Start menu, choose Control Panel. Go to Network and Internet Connections > Network Connections.

     2. Right-click the local area connection that you want to modify, and then click Properties.

     3. On the General tab, in the “This connection uses the following items list,” click Internet Protocol (TCP/IP), and then click Properties.

   For more information, see How to troubleshoot TCP/IP connectivity with Windows XP.

3. Continue to follow the onscreen instructions in the Windows XP Setup wizard until all steps are completed.

To Create the Windows XP User's Local Account

Before you begin, be sure the user has already been added to the Active Directory domain.

Follow the instructions for creating the user's local account in How to create and configure user accounts in Windows XP.

To Configure an Existing Windows XP Workstation to Join an Active Directory Controller

Follow the instructions in

How to change a computer name, join a domain, and add a computer description in Windows XP or in Windows Server 2003.

To Configure an Existing Window XP Workstation to Join a UNIX Kerberos Domain

Once the host account is added successfully, you can change the network configuration for the Window XP workstation. You must be logged into Windows XP as an administrator to run the following commands.

1. Run the kadmin.local command to add the host account for Window XP workstation first on the UNIX side.

   Example:

   kadmin.local addprinc -pw password -policy hosts -e des-cbc-crc:normal host/demoxp. openSSOhost.example.com

2. Run the ksetup command.

   ksetup /SetRealm OPENSSOHOST.EXAMPLE.COM ksetup /AddKDC openSSOhost.example.com

3. Set the local computer system password.

   This password must match the password you specified when you ran kadmin.local in step 1.

   ksetup /SetComputerPassword password

4. Set up user mapping.

   Example:

   ksetup /mapuser * *

Configuring the Browser

Any client browser used in the intranet must be configured to work with the Kerberos Domain Controller.

To Configure Microsoft Internet Explorer

1. In the Tool menu, go to Internet Options > Security.

2. Choose Local Intranet, and then click Site.

3. Mark the “Automatically detect intra network” checkbox, and then click Advanced.

4. Add the OpenSSO Enterprise URL to the Websites list if the URL is not already on the list.

   Example: http:/openSSOhost.example.com

   For pre-6.0 Internet Explorer versions, be sure the Identity Server is in the browser's intranet zone and that native Windows Authentication is enabled. For more information, see Enabling Windows Authentication.

To Configure Mozilla or FireFox

1. Open the Firefox browser, and enter about:config in the address bar.

   This will display a large number of configuration entries, called Preference Names, for Firefox .

2. Double-click the Preference Name network.negotiate-auth.trusted-uris.

3. Enter http://, https://.

To Configure Apple Safari

Safari has built-in native support for Kerberos single sign on and no configuration is needed.

To Configure the OpenSSO Enterprise Windows Desktop SSO Authentication Module

1. Copy the keytab files you created in the sectionTo Configure a UNIX Kerberos Domain Controller or the section To Configure Windows Active Directory and Domain Controller.

   Place the copied files in the OpenSSO Enterprise host, in a directory such as /etc/opt/SUNWam/config.

2. Log into the OpenSSO Enterprise administration console as amadmin.

3. Go to Access Control > Default Realm > Authentication.

4. In the Module Instances page, click New.

5. Enter a name for the new login module, and then select Windows Desktop SSO. Click OK.

6. In the Module Instances page, click the name of the new login module and provide the following information:

   Service Principal

   HTTP/ openSSOhost.example.com@EXAMPLE.COM

   Keytab File Name

   /etc/opt/SUNWam/config/openSSOhost.HTTP.keytab

   Kerberos Realm

   OPENSSOHOST.EXAMPLE.COM

   Kerberos Server Name

   Kerberos.example.com

   If multiple Kerberos Domain Controllers exist for failover purposes, all Kerberos Domain Controllers can be set using a colon (:) as the separator.

   Return Principal with Domain Name

   False

   Authentication Level

   0

7. Restart the OpenSSO Enterprise server.

   • If OpenSSO Enterprise is deployed on IBM Websphere, then Keytab File Name has to be specified in FILE:// format. Example: FILE:///etc/opt/SUNWam/config/openSSOhost.HTTP.keytab.

   • If OpenSSO Enterprise is deployed on IBM Websphere, the keytab file has to use the DES-CBC-MD5 crypto option. After restarting the server, the administrator can access the module with a browser pointing to this URL: http://openSSOhost.example.com/amserver/UI/Login?module=WinSSO.The browser should no longer prompt the user for userid and password.