Jahia the Java Open Source Web Content Management Community

SSO with Kerberos

Jahia is able to plug-in different authentification policies via HTTP filters and a pipeline of authentification valves. Some filters and valves are provided and can be activated by configration, like for NTLM or the integration of a CAS (Central Authentification Service) server.

We now also provide a filter and valve for integration with SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) to negotiate with the client and use either Kerberos or NTLM as fallback. This way a non-interactive login is possible, which takes the user logged in to the operating system running the browser.

Such a secure solution is especially interesting for intranets running with Windows servers. This document  describes how to configure such an environment.

Summary

Prerequisites

JDK 1.5 Update 7 or later (otherwise the Active Directory native encryption (rc4-hmac) won't be supported and you will need to activate Kerberos DES encryption types in the Active Dirtectory on each user account)

Tomcat 6.0.19 or later (otherwise negotiation with the client will not work, when also using custom error pages for 401 errors in web.xml). If your Jahia release is shipped with an older Tomcat, then you will have to manually upgrade to the required version.

If using Windows Server 2008, then at least Service Pack 2 needs to be installed (otherwise only simple Kerberos user logons (e.g. via CAS) work, but checks against a Service Principle Name (SPN) will not work, as this one contains slashes (see Microsoft KB article: 951191)).

For this guide we assume that you are using Windows Active Directory server. If you want to use Kerberos, then all clients and servers need to be joined in the same AD domain. If this requirement is not met, then SPNEGO will fall back to NTLM. It should also be possible to use other directory servers supporting Kerberos and you can take this guide to perhaps get some useful information also relevant for alternative environments.

In the guide all terms in angle brackets <> should be replaced by terms fitting your environment or your choice. Notice also that realm names are case-sensitive and recommended to be used in UPPER CASE. Also with Kerberos you will not be able to use IP addresses or localhost but rather you will have to use the server name (DNS must be properly set up).

Go to summary

Set up the Active Directory

A Service Principal Name (SPN) account needs to be created for the Jahia server. Note that this account can't be used to log in.

  1. Start the Active Directory User and Computers from the Administration Tools menu.
  2. Right click on the Users repository and select New > User
  3. Enter user information (by example <your-spn-account> for user login), press Next.
  4. Enter the <password> and select Password never expires and click on Next and then on Finish.

Now in Windows server 2008 there is an extra step, which is not required in Windows server 2003:

  • In a console enter the command :
    setspn -a http/<your.jahia.server.name> <your-spn-account>
Go to summary

Create the Keytab file

The Keytab file enables a trust link between the Jahia server and the Key Distribution Center (KDC). This file contains a cryptographic key. The ktpass tool, which comes from the Windows Resource Kit, is used to generate this file (in Windows Server 2008 the tool is already part of the product).

In a console, enter the command:

ktpass.exe /out <your-spn-account>.keytab /princ HTTP/<your.jahia.server.name>@<YOUR.AD.REALM> /pass * /mapuser <your-spn-account> /ptype krb5_nt_principal /crypto rc4-hmac-nt

This command will generate the <your-spn-account>.keytab file, which has to be copied to a secret place on the Jahia server, which only the Jahia server application could read.

Go to summary

Create Kerberos configuration file (krb5.conf)

On the Jahia server create the Kerberos configuration file (krb5.conf) and place it somewhere on the Jahia server. In the startup script of the Jahia server you need to add the following parameter to pick up this file:

set JAVA_OPTS=%JAVA_OPTS% -Djava.security.krb5.conf=<path>\krb5.conf

Here is an example:

<YOUR.REALM> is the same as the domain in caps.

[libdefaults]
    ticket_lifetime = 24000
    default_realm = <YOUR.REALM>
    default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    permitted_enctypes   = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

[realms]
    <YOUR.REALM> = {
        kdc = <hostname.of.your.kdc>.<your.domain>
    }

[domain_realm]
    .<your.domain> = <YOUR.REALM>
    <your.domain> = <YOUR.REALM>

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log

Go to summary

Create JAAS login configuration file (jaas-login.conf)

On the Jahia server create the JAAS login config file (jaas-login.conf) and place it to a secret place accessible for the Jahia server. In the startup script of the Jahia server you need to add the following parameter to pick up this file: 

set JAVA_OPTS=%JAVA_OPTS% -Djava.security.auth.login.config=<path>\jaas-login.conf
set JAVA_OPTS=%JAVA_OPTS% -Djavax.security.auth.useSubjectCredsOnly=false

Here is an example of the content:

com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule
    required
    storeKey=true
    keyTab="<path>/<your-spn-account>.keytab"
    doNotPrompt=true
    useKeyTab=true
    principal="HTTP/<your.jahia.server.name>@<YOUR.REALM>"
    isInitiator=false
    debug=false;
};

Go to summary

Test the SPN account

As it is quite easy to make mistakes in the Kerberos configuration, you should test your configuration with the tools provided by Java, before starting Jahia.

In order to have those tests work, you have to copy your krb5.conf file in your windows system directory and rename it krb5.ini (most often c:\windows\krb5.ini)

Verify that your are able to read the keytab file:

%JAVA_HOME%/bin/klist -k FILE:<path>/<your-spn-account>.keytab

Then verify that your are able to read the keytab file :

%JAVA_HOME%/bin/kinit -k -t FILE:<path>/<your-spn-account>.keytab HTTP/<your.jahia.server.name>@<YOUR.REALM>%JAVA_HOME%/bin/klist
Go to summary

Set up the browser

Internet Explorer (min 5.0.1)

  1. In Internet Explorer, click Internet Options on the Tools menu.
  2. Click on the Advanced tab, click to select the Enable Integrated Windows Authentication (requires restart) check box in the Security section, and then click OK.
  3. Click on the Security tab, click to select Local Intranet then click on Sites, then click on Advanced.
  4. Enter https://<your.jahia.server.name> and validate by clicking on Add and OK.
  5. Restart Internet Explorer.

Firefox (min 0.9)

  1. In Firefox, enter about:config as url and click on Go.
  2. On the line network.negotiate-auth.trusted-uris, right click on Modify and enter https://<your.jahia.server.name>
Go to summary

Configure the HTTP filter and authentication valve in Jahia

In order to activate SPNEGO, you need to make sure that the web.xml file of your Jahia web-application has the following entries active:

    <filter>
        <filter-name>SpnegoHttpFilter</filter-name>
        <filter-class>org.jahia.bin.filters.spnego.SpnegoHttpFilter</filter-class>
    </filter>

and

    <filter-mapping>
        <filter-name>SpnegoHttpFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Then you also need to edit the WEB-INF\etc\spring\applicationcontext-pipelines.xml file and add the SpnegoAuthValveImpl as the first entry in the authPipeline, like this:

    <bean id="authPipeline" class="org.jahia.pipelines.impl.GenericPipeline">
        <property name="name" value="authPipeline" />
        <property name="valves">
            <list>
                <bean class="org.jahia.params.valves.SpnegoAuthValveImpl" />
                <bean class="org.jahia.params.valves.TokenAuthValveImpl" />
                ...

You also need to configure WEB-INF\etc\spring\applicationcontext-services.xml to connect the users and group LDAP to your active directory, so that the users there will be known to Jahia.

After making these changes, you need to restart the server to make them effective.

Go to summary

Related links

Go to summary

Tip and Tricks

First of all, we recommand you to take a look at blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx for informations about how kerberos works.

This Article shows how to resolve common errors

ERROR [ErrorLoggingFilter] - Unexpected exception occurred

ERROR [SpnegoParser] - Failed to parse: 32
INFO  [SpnegoParser] - [0,APPLICATION_CONSTRUCTED_OBJECT,0x4e] Expected type identifier
INFO  [SpnegoParser] - Expected length 84 mismatch against actual 30
INFO  [SpnegoParser] - [2,OID,0x4c] Expected oid identifier
ERROR [ErrorLoggingFilter] - Unexpected exception occurred
java.lang.NullPointerException

This error means that the kerberos authentification is not done on the client browser.

Resolution :

Check your kerberos configuration with klist and kinit tools.

Look at support.microsoft.com/default.aspx to activate kerberos event loging

KrbException: Clock skew too great (37)

This error occurs when there is more than 5 minutes between kerberos domain controler and jahia server times.

Check time and time zone.

Go to summary