I'm following this post http://blog.springsource.com/2009/09/28/spring-security-kerberos/ to set up a service principal on a local server which i'll be using to test the spring security integration with active directory. The server has tomcat running where i deploy my application and I access it by http://localhost:8080/myapp
Question
What should be my service provider name?
The article says:
For this to work, every web applications needs to be registered at the
Kerberos server and gets a service prinicipal and a shared secret
assigned. For web applications, the service principal must be
"HTTP/#DOMAIN". For example
"HTTP/web.springsource.com#SPRINGSOURCE.COM", if your app runs on
web.springsource.com.
Since I'm running on localhost I guess it will be HTTP/localhost#.... what do I put inplace of #SPRINGSOURCE.COM?
To Kerberos working, you should configure DNS and AD server in your network. Application server and the client machine must use the DNS and client machines must use AD authentication. Use the name "localhost" is NOT permissible. The application server may not be in the domain.
Suppose all machines in the domain then you need is:
Assign an application server dns name eg appserver (appserver.yourdomain.local)
Add the DNS name of your server applications in the area of direct and reverse DNS-server. (link)
Create a simple user in the domain and set the option "not change password" and "Password never expires is limited" (eg username myUser)
On the server, the domain controller, open a command prompt and run the following commands:
C:>setspn -A HTTP/appserver myUser
C:>setspn -A HTTP/appserver.yourdomain.local myUser
Check the correct:
C:>setspn -l myUser (if will display what you entered previously, then everything is OK)
Next, create a key file:
C:>ktpass /out C:/myUser.keytab /mapuser myUser#YOURDOMAIN.LOCAL /princ HTTP/appserver.yourdomain.local#YOURDOMAIN.LOCAL /pass +rndPass /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /kvno 0
That's it, now you can use the file myUser.keytab and principal name HTTP/appserver.yourdomain.local in your web application
may be useful in the future:
Blank page after user cancels basic authentication
Combine custom authentication filter with spring-security-kerberos
Related
I can access to reporting service by http://hostname/reports
Because i want to implement SSL certificate, i need to configure SSRS to work with FQDN
so in Reporting Server Configuration Manager for Web portl URL i set Host Header name, same for Web Services URL
Then configured service account (under which SSRS is running) as per https://blog.andycook.com/sql/2019/11/13/ssrs-fqdn/
When trying to login with service account i'm getting, credentials pop-up, after entering credentials then getting:
to http://host.example.com/reports
Edit:
After adding service account to local admin group then using that account i can see all reports. When loging in with other user who's not local admin, cannot see reports
Solved it, once i logged in with service account (which i added to local admin group), i just clicked home-manage security and added users
We have the infamous Kerberos double hop issue.
This is a brand new domain, being migrated from another provider where impersonation and delegation was previously working. We have upgraded OS's and to the latest SQL server (2017).
WPF app (using domain creds) -> Web Service (WCF app on IIS 10) -> SQL 2017 (named instance)
The web service is running under a domain account. The web service has an spn registered, Anonymous Auth is disabled as is forms auth, ASP.NET Impersonation and Windows Auth is enabled. Providers are "Negotiate and NTLM," "Kernal Mode" is disabled, "Use App Pool credentials" is enabled. SPN created:
HTTP/<url of web service> <AppPool Creds>
We are able to login to the web service via a browser on a remote computer, enter domain credentials and have the expected response (web page displayed). IIS Log shows domain user creds as expected.
The SQL server is a named instance, running under domain creds. SPNs created:
MSSQLSvc/<fqdn>:<Instance> <SQL Domain Creds>
MSSQLSvc/<sql server netbios>:<Instance> <SQL Domain Creds>
MSSQLSvc/<fqdn>:<port> <SQL Domain Creds>
MSSQLSvc/<sql server netbios>:<port> <SQL Domain Creds>
The IIS App Pool user account in AD is setup for constrained delegation to the SQL server for both the port and the named instance.
When logging in through software to web service (WPF calling WCF Service with no database call), a normal response is seen.
When logging in through software to web service with a database call, sql profiler shows Anonymous Logon. With Kerberos Logging enabled on IIS box, the following error is received:
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc0000225 KLIN(0)
Server Name: MSSQLSvc/<sql server fqdn>:49942
Target Name: MSSQLSvc/<sql server fqdn>:49942#<domain.com>
We also tried unconstrained delegation, but received same result.
SETSPN -X shows no duplicates.
Thank you in advance for your help!
When all else fails, and you've literally spent days and days working on the problem and reading every article on the Internet:
REBOOT
Yup. That was the fix. Rebooting the IIS server which was the server delegating the permissions, fixed the issue.
For those looking to quickly and easily setup constrained delegation between IIS and an instance of SQL, both running under custom domain creds, set your settings exactly as above and reboot.
Best wishes.
We have a 3rd party product that allows some of our users to manipulate data in a database (on what we'll call SvrSQL) via a website on a separate server (SvrWeb).
On SvrWeb, we have a specific, non-default website setup for this application so instead of going to http://SvrWeb.company.com to get to the website we use http://application.company.com which resolves to SvrWeb and the host headers resolve to the correct website.
There is also a specific application pool set up for this site which uses an Active Directory account identity we'll call "company\SrvWeb_iis". We're setup to allow delegation on this account and to allow it to impersonate another login which we want it to do. (we want this account to pass along the AD credentials of the person signed into the website to SQL Server instead of a service account.
We also set up the SPNs for the SrvWeb_iis account via the following command:
setspn -A HTTP/SrvWeb.company.com SrvWeb_iis
The website pulls up, but the section of the website that makes the call to the database returns the message:
Cannot execute database query.
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
I thought we had the SPN information set up correctly, but when I check the security event log on SrvWeb I see entries of my logging in, but it seems to be using NTLM and not kerberos:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Any ideas or articles that cover this setup in detail would be extremely appreciated!
If it helps, we are using SQL Server 2005, and both the web and SQL servers are Windows 2003.
There are several possible reasons for kerberos failures which includes lack of SPN and duplicate SPN as well.
If SQL is running under custom account you would need to add SPN for SQL as well.
Also keep in mind, you should be adding SPN for the FQDN which is the host (A) entry in DNS and not a CNAME.
Check the value of NTAuthenticationProviders
http://support.microsoft.com/kb/215383
Try DelegConfig which would show what is missing if its SPN or something else.
http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1887
I am accessing my server through remote desktop connection and have configured a webservice in IIS. I am able to see the methods but when I click on the button to "Invoke" I get the following error:
System.Data.SqlClient.SqlException: Login failed for user 'SOLDev\Server02$'.
at ShareWare.Web.Service.WebAPI.Reservation.GetInfo()
Why is it taking the machine name as the user?
My windows authentication user is User1Dev.
Also my directory security in IIS is setup as follows:
Option "Enable anonymous access" -- it's disabled
Option "Integrated Windows Authentication" -- checked off
I am using .NET framework 2.0
Your web service connects to the SQL using Windows authentication as the principal running the service. In this case it appears to be BUILTIN\System or BUILTIN\Network Service, both of which authenticate in the domain as the machine account, ie. 'SOLDEV\Server02$' which corresponds to a machine named Server02 in the domain SOLDEV.
If you wish to authenticate on the SQL Server with your own login, then the IIS must flow the authentication information, in a process called Constrained Delegation. See Configuring Constrained Delegation for Kerberos (IIS 6.0). or How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0.
If you want the web service to authenticate to SQL Server as itself, then you must grant login permission to the web service principal on SQL: CREATE LOGIN [SOLDEV\Server02$] FROM WINDOWS.
It's because the web service is running as the Network Service id, not as the logged in user. You probably also need to have <identity impersonate="true" /> in your web config if you are planning to use the user's credentials to connect to SQL Server.
I am running a Java Application as a Service in Windows that's using JDBC to connect to SQL Server. This application is started as a different user than the one logged into the Machine. My question is will the JDBC Driver use the user assigned to start the service to authenticate against or the logged in user (which there might not be one)?
Thanks
You can change logged in users all you want, the service will keep running in the background under the account that it was initially started.
If the connection is set to using Integrated Security, then the account that the service is started under will be the one that is used.
The service will connect using whatever user the service is running under (as visible in the service control manager).
Your service application is configured to always run as a particular user, for example "Service_User".
Even if user "Bob" logs in to start the service - all connections/files made by that service will appear to be from user "Service_User".
In your service application you make a JDBC connection to a database. If you specify Integrated Security in the connection string, it will log in to the database as "Service_User".
If you specify a Database username / password in your connection string, it will log into the database as that user.
That will happen regardless of the interactive login used to start it on the system.