Kerberos authentication support and use case for Embedded Entitlements Manager

Document ID : KB000029816
Last Modified Date : 14/02/2018
Show Technical Document Details

NOTE: This document assumes administrator has already configured Kerberos setup between Linux and Active Directory machines.

 Kerberos Protocol

The Kerberos protocol defines how clients interact with a network authentication service. Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these tickets to servers when connections are established. Kerberos tickets represent the client's network credentials.

The Kerberos authentication protocol provides a mechanism for mutual authentication between entities before a secure network connection is established. Throughout this documentation, the two entities are called the client and the server even though secure network connections can be made between servers. Both client and server can also be referred to as security principals.

 

Kerberos Authentication benefits

Kerberos protocol strong mutual authentication post which both client and server trust each other, along with that Kerberos also provides some other key features.

  1. 1.      Mutual authentication
  2. 2.      Delegated authentication
  3. 3.      Interoperability
  4. 4.      Efficient use of authentication server.

These features enable Kerberos strong contender for Single Sign On even on open networks.

EEM – Kerberos support

EEM already supports Windows Kerberos authentication for Windows machines which are under Active Domain (configuration and support of the same will not be discussed here). The support for Kerberos authentication in EEM has been extended to enable Kerberos authentication on a Linux node (registered as computer in Active Directory)

EEM follows Kerberos (v5) for authentication and follows the standard Service Principal Name based approach to identify services and service providers.

 

Kerberos Use-Case

The EEM current solution now solves the below use-case where the service provider (like webserver) is residing on a Linux host machine and protects its page using Kerberos authentication. Authentication is performed using Kerberos digest using the following steps:

  1. User tries to access resource from Web Application which is protected using Kerberos authentication.
  2. Web Application challenges Browser (client) to negotiate with Kerberos digest.
  3. Browser fetches Kerberos digest from Active Directory (this negotiation is internal to Windows client and Active Directory) and sends to Web Application.
  4. Web Application redirects the digest to EEM server for verification using authenticateWithDigest API.
  5. EEM server validates digest, if digest is validated it creates and session for the user.

Kerberos.JPG

 

Pre-Requisite

Prior to configure EEM for Kerberos authentication Kerberos setup between Linux Node and Active Directory machine has to be performed. Basic steps have been listed below.

  1. Key Distribution Center (KDC) has been enabled in Active Directory
  2. Linux machine has been joined to Active Directory
  3. Service Principal Name (SPN) has been created with the format HTTP/fqdn-linuxhost@domain
  4. An key table (keytab) file has been generated for the SPN
  5. Time has been synchronized between Linux host and Active Directory

Note: These are the essentials steps and reference links has been added in appendix

Configuring EEM Server for Kerberos

EEM provides UI for Kerberos configuration (LINUX only) and uses absolute path as input reference for Kerberos configuration.

Navigation path Kerberos configuration: Configure->EEM Server->Kerberos Configuration

EEM asks for these configuration each of which has been detailed and explained below

Configuration

Significance

Example

Configuration Path

Absolute path to Kerberos configuration file in linux host

/etc/krb5.conf

KeyTab Path

Absolute path to keytab file with credentials for Service Principal Name

/etc/krb5.keytab

Service Principal Name

Service Principal Name to identify service and host

HTTP/fqdn-linuxhost@domain

Credential Cache Path

Absolute path to credential cache file

/tmp/krb5cc_1

 

kerberos2.JPG

Appendix

  1. How Kerberos works - http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx
  2. Kerberos benefit - http://technet.microsoft.com/en-us/library/cc780469(v=ws.10).aspx
  3. Configure Linux Machine for Kerberos -  https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Using_Kerberos.html#About_Kerberos