Successfully reported this slideshow.
Your SlideShare is downloading. ×

Spnego configuration

Ad

July 2015
IntegratedWeb Authentication &
Domino
Gabriella Davis
The Turtle Partnership

Ad

Outline
✤ Function and use of IWA
✤ System Requirements
✤ How To Configure SPNEGO
✤ Things To Consider

Ad

What Is IWA
✤ Integrated Web Authentication (IWA) is an umbrella term that
represents several protocols and technologies u...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Loading in …3
×

Check these out next

1 of 40 Ad
1 of 40 Ad

Spnego configuration

Download to read offline

How to configure IWA / SPNEGO for IBM Domino enabling Windows authenticated users to access Domino web applications without being prompted for further authentication

How to configure IWA / SPNEGO for IBM Domino enabling Windows authenticated users to access Domino web applications without being prompted for further authentication

Advertisement
Advertisement

More Related Content

Slideshows for you (19)

Advertisement

Similar to Spnego configuration (20)

Advertisement

Spnego configuration

  1. 1. July 2015 IntegratedWeb Authentication & Domino Gabriella Davis The Turtle Partnership
  2. 2. Outline ✤ Function and use of IWA ✤ System Requirements ✤ How To Configure SPNEGO ✤ Things To Consider
  3. 3. What Is IWA ✤ Integrated Web Authentication (IWA) is an umbrella term that represents several protocols and technologies used by Microsoft for automatic authentication ✤ SPNEGO is an IWA service that determines which protocol the client and server need to use to talk ✤ Microsoft uses SPNEGO for its HTTP authentication negotiation ✤ Protocols that can be used by SPNEGO for IWA include Kerberos and NTLM
  4. 4. Simple & Protected GSSAPI Negotiation Mechanism
  5. 5. System Requirements ✤ Domino 8.5.1 or later as the initial authentication server ✤ Windows Active Directory with Windows 2003 or later compatibility mode ✤ Browsers ✤ IE ✤ Firefox (Windows) ✤ Chrome 8 and higher (Windows)
  6. 6. The Lab Environment Active Directory Windows 2008 R2 DC cn=dc,dc=turtletest,dc=com Domino Server Windows 2008 R2 9.0.1 dominoweb.turtletest.com Swan/Turtle cn=dominoweb,dc=computers,dc=turtletest,dc=com Windows 7 Client Machine cn=lihue,dc=computers,dc=turtletest,dc=com cn=gabriella,dc=lihue
  7. 7. How Does ItWorkWith Domino ✤ There must be a relationship between Domino and AD for the authentication “conversation” to happen ✤ Domino must run as a service under Windows ✤ Use a named AD account to run the service ✤ Create a Service Principal Name in Active Directory for each URL hostname that will be passed to Domino
  8. 8. Configuring for SPNEGO
  9. 9. Domino Configuration ✤ Internet Site Documents ✤ Web Single Sign On Document ✤ HTTP Site Document ✤ Domino start as service with named user ✤ Configuring Domino to start with a java controller
  10. 10. Internet Site Documents ✤ Ensure the Domino server document is set to use Internet Site Documents ✤ this isn’t a requirement but will make the SPNEGO configuration easier to manage
  11. 11. Web Single Sign On Document
  12. 12. HTTP Site Document
  13. 13. Domino Start As Service ✤ Domino must be started using an AD account not a local system account. A local system account does not support use by multiple web servers or the user of an ip sprayer
  14. 14. Configure DominoTo StartWith Java Controller ✤ Once you configure Domino to start as a named account you need to use the java controller to monitor Domino on the server itself ✤ Use Windows regedit to modify the registry ✤ find the entries representing the Domino server (search for notes.ini) and add -jc -c Consider adding to the server notes.ini file ServerController=1 TCPIP_ControllerTcpIpAddress=<ipaddress>:2050
  15. 15. Active Directory ✤ We must create a Service Principal Name (SPN) in Active Directory to represent any hostname the Domino web server will use and the account running the Domino server ✤ This can be done two ways ✤ using the domspnego utility ✤ manually ✤ You will need to find and use setpspn.exe on the Domain Controller
  16. 16. Using domspnego ✤ From the Domino program directory in a command window type domspnego ✤ domspnego -? shows a help for the command ✤ domspnego <name of output file to generate) ✤ domspengo dominowebservice
  17. 17. Domspnego Output ✤ You will need to know ✤ The account name Domino is running under ✤ Any hostnames used for web access ✤ Any ip sprayer hostnames ✤ Answering the prompted questions will generate a .cmd file you can edit in notepad to see the commands you will want to run
  18. 18. Domspnego CMD File
  19. 19. Creating the SPN ✤ On the domain controller find the “setspn.exe” utility ✤ The syntax is ✤ setspn -a HTTP / <hostname> <adserviceaccount> ✤ The commands for running the SPN will be in your output file generated by domspnego e.g. setspn -a HTTP/dominoweb.turtletest.com dominowebservice
  20. 20. SPN Rules ✤ There can only be one SPN for a hostname ✤ If you need to change the service account bound to the SPN you must delete the original one first and create a new one ✤ To delete an SPN type “d” instead of “a” on the setspn command setspn -d HTTP/dominoweb.turtletest.com dominowebservice
  21. 21. SPN Commands ✤ Create a SPN ✤ Confirm a SPN ✤ Remove a SPN
  22. 22. Name Mappings ✤ To grant Domino access to a database there must be an ACL entry for the user ✤ The windows Kerberos name must be an entry in the fullname field of the user’s person document so Domino can match the Windows logged in name to the ACL ✤ There should be 2 entries before it, the user’s hierarchical name (used in the ACL) and the user’s common name ✤ The Windows user “Gabriella” logging into the windows domain “turtletest.com” (gabriella@turtletest.com) will be translated by Domino into Gabriella Davis/Turtle for ACL access ✤ Use the exact case AD uses for the name part and always capitals for the domain part
  23. 23. Directory Assistance ✤ SPNEGO users do not use passwords in any way ✤ The domino http password field on the person documents can therefore be empty ✤ Should you want non-SPNEGO users to login they can either use the Domino HTTP Password OR you can configure Active Directory under Directory Assistance ✤ That then authenticates users accessing Domino using their AD names and passwords
  24. 24. Managing Users - OPTIONAL ✤ If you do want to manage users in Active Directory instead of in Domino you can do so but the environment needs to be configured for that ✤ they must still be present in Domino person documents ✤ The Active Directory entry must have an attribute containing the user’s hierarchical Domino name ✤ Directory Assistance must be configured for authentication to Active Directory ✤ Keeping the user names synchronised across both environments requires a tool such as Tivoli Directory Integrator
  25. 25. Browser Configuration ✤ SPNEGO supports Windows browsers IE, Firefox and Chrome >8 ✤ Configuration for each must be done on the client side and is different for each browser ✤ This may change in the future if the browser versions change
  26. 26. Internet Explorer Configuration ✤ Start IE and click Tools > Internet Options ✤ Select the Security tab ✤ Select "Local intranet" and click Sites. ✤ Ensure that the "Include all sites that bypass the proxy server" is checked. ✤ Click Advanced ✤ Add the URL for the Domino server http://dominoweb.turtlest.com and click OK twice. Or use a wildcard to provide the ability to connect to more than one SPNEGO-enabled Domino server in the domain *.turtletest.com ✤ Click Custom Level, scroll to the User Authentication section, select "Automatic logon only in Intranet zone," and click OK. ✤ Click the Advanced tab, scroll to the Security section, verify the option "Enable Integrated Windows Authentication (requires restart)" is selected.
  27. 27. Firefox Configuration ✤ Start Firefox and in the URL address box, type about:config ✤ In the Filter box, type network.n ✤ Double-click network.negotiate-auth.trusted-uris, and enter the URL 
 http://dominoweb.turtletest.com or use a wildcard to provide the ability to connect to more than one SPNEGO-enabled Domino server in the domain http://*.turtletest.com or 
 separate multiple entries with commas. ✤ Click OK and restart the browser.
  28. 28. Chrome Configuration ✤ Chrome uses the configuration settings from Internet Explorer ✤ Alternatively in Windows use Internet Options under Control Panel
  29. 29. Non SPNEGO Behaviour ✤ Users who don’t login to the Windows AD domain cannot use SPNEGO ✤ Once you configure the URL and web server for SPNEGO it can only be used by SPNEGO enabled clients and browsers ✤ There are programmatic tools available including DSAPI filters that will intercept the request and redirect it for non SPNEGO users ✤ Alternately non-SPNEGO users can be given a different hostname/URL to use
  30. 30. Multiple Sites / URLs ✤ For every hostname or site document that the web server responds to a SPN needs to be created ✤ This includes any load balancers ✤ Any server aliases that will resolve in URLs must also have SPN entries ✤ Remember only one SPN per hostname and that must correspond to the owning account of the Domino service
  31. 31. SPNEGO Support ✤ SPNEGO is supported for Domino web applications including iNotes ✤ but not Traveler ✤ SPNEGO is also supported inside eclipse for feeds, sametime, connections etc ✤ but not for Notes basic ✤ SPNEGO is not supported for Notes client access
  32. 32. Troubleshooting ✤ On Windows 7 and Windows Vista, SPNEGO is not functional for users who are members of the Administrators group when UAC is enabled. To use SPNEGO on these platforms, advise the client user to launch Notes with elevated privileges, disable UAC, or log in as a non-admin user. ✤ DEBUG_HTTP_SERVER_SPNEGO = 1 ✤ http://www-01.ibm.com/support/docview.wss? uid=swg21394592

×