Search code examples
javaldapkerberoswindows-authenticationspnego

Windows integrated authentication for java web application SSO

Background: I currently have a java web application which is run on localhost on my Mac. Users can login to the web application, and their credentials are validated against an OpenLDAP server which is run on a certain port on my local machine as well (specifically using this docker image). The web application includes code which interacts with the LDAP server to provide the login username and password. Upon successful validation, the users are logged in and can continue to use the features of the app.

Problem: This web application will be deployed to clients who will be using Windows. They are requesting SSO capabilities - I.e. successful login to their windows machines under their domain bypasses the need for logging in to the web application when they run it. The clients cannot have some other Java application running on their machine which will help with SSO - simply logging into their windows machine should bypass the need for logging into the web application, which means Windows needs to be configured a certain way, and the web application needs to be configured a certain way for SSO. For testing purposes, I am using a windows 7 virtual machine which is run on the same machine that I am running and testing the web application on.

I've done research on SPNEGO, Java GSS API (looks like it needs client side code to communicate with server), Kerberos, Windows IIS etc. I know how to enable windows integrated authentication in Windows, but I don't know how to actually use this with my web application to enable SSO. Basically, I am still struggling on how to implement SSO capabilities in my specific case under these circumstances. Here are some specific questions:

  1. Can browsers be configured to send encrypted windows credentials of the machine they are running on to the web application, which can then be decrypted by the web application and authenticated against LDAP? If so, how does this work?
  2. Can the windows login credentials be configured to point to an LDAP server that validates them?
  3. Overall, how can I integrate single sign on for a web application running on a windows machine, where the web application is configured to authenticate credentials through an LDAP server?
Solution

  • Windows SSO is based on Kerberos, not on LDAP. The reason why people usually mix them up is that Microsoft Active Directory acts as both LDAP server and Kerberos server.

    If you need transparent authentication (SSO) for your Windows users you have to implement Kerberos authentication.

    They way how Kerberos is implemented for web applications is called SPNEGO.

    You need to do the following:

    1. Create a service account in Active Directory for your server, say REALM\svc_server
    2. Create an SPN for your server which will bind the domain name of your server to this server account. If your server is running on https://server.acme.com it should be HTTP/server.acme.com
    3. If windows user is logged into domain REALM and goes to https://server.acme.com browser will lookup an SPN based on name HTTP/server.acme.com, request a Kerberos ticket from Active Directory and send it to server in a Authorization header as per SPNEGO specification
    4. Now you just need to validate this ticket using built-in Java Kerberos API or using some third-party library (kerb4j, spring-security-kerberos, e.t.c.)

    As you can see LDAP is not involved in this authentication flow (although it can be used for authorization as a next step)