Auth chain using WDSSO

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Auth chain using WDSSO

Josep Maria Comas

Hi everybody,

 

Were migrating to OpenAM 13.5

 

We have an auth chain: WDSSO -> DataStore

 

Weve tested with a machine OUTSIDE the Windows domain configured.

 

Weve got no problem using Chrome, Firefox, Edge

 

Using IE, even we have the server on Local Intranet Sites, it always fail with Authentication Failed message. And even with a correct user + password.

 

We think the reason is: IE sends a HTTP header Authentication:Negotiate with NTLM token.,  when it POSTs the user + password login page. It fails at OpenAM side and hence the Authentication Failed message.

 

If we delete the server on Local Intranet Sites, then we have an additional authentication dialog box previous to the login page. But after that, login works flawlessly.

 

Heres a post of Simon Harding: https://forum.forgerock.com/2016/08/openam-windows-desktop-sso-deep-dive-part-1/, who comments:

 

UPDATE: That’s not quite always true. The change in OpenAM 13 allows the WDSSO module to fall back to another module if the browser has negotiate support turned off, for example as it is by default in Safari and FireFox. However, this won’t prevent the login dialog (shown above) from appearing if negotiate support is turned on in the browser, as it is by default in IE. I’ll look into this in more detail in my next blog post. Thanks to my colleague Cyril Grosjean for pointing this out.

 

Maybe this change in OpenAM 13 is resposible to this behaviour? Any clues?

 

Best,

 

JM


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Auth chain using WDSSO

Cyril Grosjean-2

There're possibly other reasons where NTLM is chosen, basically when one
of the conditions for Kerberos mentioned in Simon's article is not met:

- since you created the keytab file, did the UPN changed or did you add
other SPN's to the same UPN ?

- do you have an 'A' type of record in your DNS ?


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Auth chain using WDSSO

Bernhard Thalmayr
If NTLM is chosen on the browser side, it's totally unrelated to OpenAM.

Either it's related to browser / ADFS / KDC / DNS configuration.

-Bernhard

Am 30/06/17 um 18:16 schrieb Cyril Grosjean:

>
> There're possibly other reasons where NTLM is chosen, basically when one
> of the conditions for Kerberos mentioned in Simon's article is not met:
>
> - since you created the keytab file, did the UPN changed or did you add
> other SPN's to the same UPN ?
>
> - do you have an 'A' type of record in your DNS ?
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam