| View file | ||||
|---|---|---|---|---|
|
| View file | ||||
|---|---|---|---|---|
|
This guide will help you set up a basic Single sign-on authentication with Keberos and SPNEGO using Spring Security under Weave. In our tests, we have been using Windows Server 2016 as our Domain Controller and Weave Server and Windows 10 as our clients.
...
Setting up Windows Domain controller
In this example we use the DNS domain example.org and Windows Domain EXAMPLE. We have also created a weave domain user which is used to perform the authentication from the Weave server to the Domain Controller.
Add a Service Principal Name(SPN) on the Windows Domain Controller. It need to be setup with HTTP and a server name where the Weave instance is run. This is used with the weave domain user and its keytab is then used as a service credential.
To add the SPN, open the command line tool and run the following command:
C:\> setspn -A HTTP/example.org weave
...
Setting up security.xml in Weave
| Info | ||
|---|---|---|
| ||
There are two plugins related to Kerberos that need to be added to Weave in order for the following configuration to work. The plugins are attached to this page. |
Example configuration using SPNEGO and user.properties as User Detail Service.
...
- Client and server must not be run on the same machine. The client will send NTML authentication to the server which will invalidate the request.
- The server must be accessed using it Fully Qualified Name (FQN) in order for authentication to be applied. IP address can for example not be used.
- For Single Sign-on to be enabled, Complete following steps to ensure that your Internet Explorer browser is enabled to perform Spnego authentication
- Click Tools > Intenet Options > Security tab
- In Local intranet section make sure your server is trusted by i.e. adding it into a list.