Need help in Single Sign On with multiple REALMs - kerberos

We have implemented Single Sign-On (SSO) using Kerberos in our production environment.
The configuration of our application is as below.
Operating System: Solaris10
Application Server: WebSphere7.0.0.11
Things are working fine for the Parent domain (MAIL.COM). But the users from child domains (like CO.MAIL.COM, BO.MAIL.COM..) are unable to login to the application.
We have the Kerberos Configuration file with the child domain details also. My doubt is "What are the changes needs to be done at the WAS console (realm related, domain related etc..)"
Thank you very much in advance..!!!

Related

Windows Kerberos application issues and Event 5071

We're experiencing issues with a third-party application running on Windows 2016 that uses Kerberos and SSPI (Windows Security Support Provider interface) where the vendor has suggested this could be related to Kerberos authentication failures. The service runs as a domain service account. In the Windows 2016 domain controller security logs we're seeing Event ID 5071 failure audits with the description:
Key access denied by Microsoft key distribution service
This all worked in the past and similar configuration works in other parts of our system (different service accounts, servers, domain controllers). In fact, we have a full hardware level clone of our setup as a test system and the issue doesn't exist there.
There is limited information online that we've been able to find on this particular event. We are in the process of performing all the normal Kerberos advanced troubleshooting so don't need assistance from that angle. We have a ticket open with Microsoft so will post their response here.
Has anyone encountered this event previously and has any insight into the potential cause(s)?

ADFS 4.0 With IWA for Win2019

Calling all Windows Experts :).
After a long time of testing, i was able to get ADFS4.0 working with a thirdparty application.
I can successfully navigate to thirdparty application, click login and get redirected to my adfs federation domain and be prompted for login, login without issues, then be logged into thirdparty site.
I went through various different articles regarding ADFS integrating with IWA and no matter what configurations I have made, I continue to get asked for a login which I do not want.
Brief walkthrough of my current setup. Note, they are not the real names but i thought i would make it easier naming them as to give you an idea as to how my settings are currently.
ADCS Server that just hosts a Cert. adcs.dctestdomain.local
Domain Controller that hosts a test domain dc.dctestdomain.local
ADFS server = adfs.dctestdomain.local. Federation server farm is adfs.publicdomain.com
I have followed the following:
https://help.hcltechsw.com/domino/11.0.1/admin/secu_creating_the_spn.html
host/adfs.publicdomain.com dctestdomain.local\SSOTest
spn = http/adfs.publicdomain.com dctestdomain.local\SSOTest
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-iwa
https://help.hcltechsw.com/domino/11.0.1/admin/secu_enabling_iwa_adfs30.html
`Set-ADFSProperties -WIASupportedUserAgents #("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "MSIE 11.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Mozilla/5.0")`
https://help.hcltechsw.com/domino/11.0.1/admin/secu_enabling_iwa_adfs30.html
Made the appropriate changes in the adfs server and the VM that is testing the adfs logins
Other things I have done:
nslookup -debug adfs.publicdomain.com shows that there is an A record and not a cname
(Get-AdfsProperties).WiaEvaluationMethod returns: WiaUserAgentDetection
`Get-ADObject -LDAPFilter "(|(ServicePrincipalName=http/adfs.publicdomain.com(servicePrincipalName=host/adfs.publicdomain.com )"`
Value shown is somewhere along these lines:
`CN=SSOTest,CN=Managed Service Accounts,DC=omitted,DC=omitted SSOTest msDS- GroupManagedServiceAccount`
`Set-AdfsProperties -ExtendedProtectionTokenCheck None`
Set the fqdn farm in the intranet zones, selected automatic logon with username and password(also tried intranet only) neither work
set Automatically detect intranet network
Set the public domain name in the trusted internet zones and set the same settings for testing purposes.
There is no load balancer
Everytime I get redirected from the 3rd Party site, I still have to log in to ADFS. Does anyone know what the problem may be? For security reasons, I did not provide real domains or account names but I think I have provided the best possible info. If you need more, please let me know. Any help would be greatly appreciated.

SSO with keycloak

We are considering to use the keycloak as our SSO framework.
According to the keycloak documentation for multi-tenancy support the application server should hold all the keycloak.json authentication files, the way to acquire those files is from the keycloak admin, is there a way to get them dynamically via API ? or at least to get the realm public key ? we would like to avoid to manually add this file for each realm to the application server (to avoid downtime, etc).
Another multi-tenancy related question - according to the documentation the same clients should be created for each realm, so if I have 100 realms and 10 clients, I should define the same 10 clients 100 times ? is there an alternative ?
One of our flows is backend micro-service that should be authenticated against an application (defined as keycloak client), we would like to avoid keeping user/psw on the server for security reasons, is there a way that an admin can acquire a token and place it manually on the server file system for that micro service ? is there a option to generate this token in the keycloak UI ?
Thanks in advance.
All Keycloak functionality is available via the admin REST API, so you can automate this. The realm's public key is available via http://localhost:8080/auth/realms/{realm}/
A realm for each tenant will give a tenant-specific login page. Therefore this is the way to go - 10 clients registered 100 times. See more in the chapter Client Registration of the Keycloak documentation. If you don't need specific themes, you can opt to put everything in one realm, but you will lose a lot of flexibility on that path.
If your backend micro service should appear like one (technical) user, you can issue an offline token that doesn't expire. This is the online documentation for offline tokens. Currently there is no admin functionality to retrieve an offline token for a user by an admin. You'll need to build this yourself. An admin can later revoke offline tokens using the given admin API.

How do I force the use of Windows authentication on only part of a web site?

I am building a site using ASP.NET MVC 2. The site itself needs to be public but the admin section should require a windows login and the user logging in needs to have local admin privileges on the server.
i.e. http://server/site should be open, but http://server/site/admin should force an admin login before proceeding.
Can this be done in code or by tweaking the web.config file? If necessary, making configuration changes to IIS is acceptable but I am trying to keep deployment steps down to a minimum.
I don't know if you can do this in web.config, or even if it's possible via IIS in an MVC application (since /site/admin won't exist on the file system), but it is possible to have different permissions for different folders under IIS. You will need to use the IIS manager to configure this.
You may also be able to use an AuthorizeAttribute on your admin controller.
This turned out to be fairly straightforward:
Enable Windows Authentication in IIS.
Enable Windows Authentication in web.config.
Decorate each action that needs to be secure with [Authorize(Roles = "Admin")].

Is it possible to restrict windows authenticated users in an ASPNet app to specific domains?

I'm in the process of pulling a classic ASP app into Mvc2. I'll be deploying to an intranet and have been asked to enable support for Windows Authentication. The network I'll be deploying to has a few AD Domains and I'll only need to integrate with one in particular. Is it possible to use Windows Authentication and only allow authentication within a particular domain?
Along those same lines, it's not uncommon for a user to have an account in multiple domains (the account names themselves are typically different) - in the event a user logs in with an "unsupported" domain I'd like to kick them to a login form. Is this possible simply using Windows Auth or am I better off looking for an alternative?
Pro Tip:
Whatever you do don't implement Windows Authentication via IIS. Have a Forms Authentication page in your MVC app but use the LDAP authentication provider. This way you avoid the differences between how browsers implement Windows Authentication (only works well in IE and that's not a great reason).
The question "Is it possible to use Windows Authentication and only allow authentication within a particular domain?" has always has one and only one answer in my consulting experience: the answer is the permissions that you set for authenticated resources.
I've rarely found a deployment where there isn't some file, folder, server, COM+ object, SQL Role or database table that can't be "locked down" to only allow access by the subset of users you're targeting (e.g. "DOMAIN\Domain Users"):
Set permissions on the ASPX files (or the folder containing them, along with inheriting to the files) that are the "front door" (and optionally, all the others) so that they're only accessible to users in the "Domain Users" group for the allowed domain
restrict logon rights on the server that hosts the web site, so that only the Domain Users group have the appropriate rights - depending on the authentication provider used, this could be "allow logon locally" or "access this computer from the network"
set permissions at some layer of Component Services
restrict the SQL Server roles so that only "Domain Users" have the ability to read & execute the necessary database objects