Symantec Access Management

 View Only
Expand all | Collapse all

Kerberos fallback to form

Legacy User

Legacy UserOct 24, 2018 08:40 AM

Wellington Ferraz Adami

Wellington Ferraz AdamiOct 25, 2018 10:59 AM

  • 1.  Kerberos fallback to form

    Posted Sep 08, 2017 02:55 PM

    Requirement is to do a kerberos login when user is on network and domain joined machine and fallback to form based authentication otherwise.

     

    We are able to achieve the kerberos login without any issues and in case of fallback we are getting windows pop-up which we want to remove , Any help is appreciated.

     

    Below is the snippet of code:

     

    try{

    String auth = request.getHeader("Authorization");
    if (auth == null){

    response.setStatus(response.SC_UNAUTHORIZED);
    response.setHeader("WWW-Authenticate", "NEGOTIATE");
    response.flushBuffer();
    //return;
    }
    if (auth != null && auth.startsWith("Negotiate")){
    redirectURL = kerberosRedirectURL;
    }
    else {
    if (orginalTarget != null) {
    orginalTarget = orginalTarget.replaceAll("-SM-", "");
    orginalTarget = orginalTarget.replaceAll("--", "-");


    formProtectURL = formProtectURL + "?&ORIGINALTARGET=" + orginalTarget;
    redirectURL = formProtectURL;
    }

    }



  • 2.  Re: Kerberos fallback to form

    Posted Sep 28, 2017 05:07 PM

    You can stay "in listen" using (if any) loadbalancer and handle at the beginning the request. Based on IP, Domain or other machine/session info you can send user/request to a resource protected by kerberos or instead send through a standard auth schema (form).

     

    Cheers

    Pasquale



  • 3.  Re: Kerberos fallback to form

    Posted Oct 23, 2018 06:00 AM

    Pasquale_Russo,

     

    I am starting Kerberos authentication for O365 and fall back to form based authentication from scratch. Is there any document that you could help with. I have very little to none knowledge in coding. Please let me know, if you could assist with any samples.

    And I have a similar use case as the original poster of this thread.



  • 4.  Re: Kerberos fallback to form

    Posted Oct 23, 2018 08:27 AM

    I created an Ajax page to handle that. In this case, even if there is an error the popup will not show and user is redirected to a specific page:

     

    <html>

    <head>

    <meta http-equiv="X-UA-Compatible" content="IE=edge">

    <script src="jquery-3.3.1.min.js"></script>

    <script>

    $(document).ready(function(){

            $.ajax({

            type: 'GET',

            xhrFields: {

                    'withCredentials': true

            },

            crossDomain: true,

            url: 'https://example.com/kerberos/', //Protected context with Kerberos Auth Scheme

            success: function () {

                   function getUrlParameter(name) { //Function to get the TARGET from URI
                      
    name = name.replace(/[\[]/, '\\[').replace(/[\]]/, '\\]');
                      var regex = new RegExp('[\\?&]' + name + '=([^&#]*)');
                      var results = regex.exec(location.search);
                      return results === null ? '' : decodeURIComponent(results[1].replace(/\+/g, ' ').replace('-SM-','').replace('$SM$',''));
                   };
                   var target = getUrlParameter('TARGET');

                    console.log("Success!");

                    window.location = target; //URL to redirect if authentication is successfull

                   

            },

            error: function(XMLHttpRequest, textStatus, errorThrown) {

                    console.log("some error " + textStatus + " " + errorThrown);

                    console.log(XMLHttpRequest);

                    window.location = "https://example.com/error"; //URL to redirect if authentication failed

            },

            async: false

        });

    });

    </script>

    </head>

    </body>

    </html>



  • 5.  Re: Kerberos fallback to form

    Posted Oct 23, 2018 09:01 AM

    Thank you Wellington,

     

     

    But from the code, i see that it uses only Kerberos. If the user is logging in from external network, then it doesn't know how to redirect to form based.

     

    scenario here is to redirect to form based authentication if the user is logging in from external network. if he is in internal network, the user will be authenticated using kerberos, And i am using CA Access Gateway to do the proxy and redirect.

     

    any help is much appreciated.

     

    BR, 

    Joseph



  • 6.  Re: Kerberos fallback to form

    Posted Oct 24, 2018 08:36 AM

    From your first post I understood that if a user is on network and domain it should achieve Kerberos authentication. If not, it should fall back to another form.

    This is what the code does, if the Kerberos authentication is achieved, fine and user is granted access. If Kerberos authentication fails (user not on network or domain), user is redirected to whatever page you want.

     



  • 7.  Re: Kerberos fallback to form

    Posted Oct 24, 2018 08:40 AM

    Thank you wadami



  • 8.  Re: Kerberos fallback to form

    Posted Oct 24, 2018 03:47 PM

    Can you please let me know the implementation of it ? Should we include this page in auth scheme and once application is accessed than it can redirect to this page which redirect to creds.kcc and if authentication fails than redirect to form based login.



  • 9.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 10:17 AM

    Yes, this page should be set as an auth scheme. It's just a html page with the code, you may configure it as a form auth scheme.

    First you need a context protected with the default Kerberos Auth Scheme, let's say http://example.com/kerberos/

    1. Access http://example.com/app/
    2. /app/* is protected with above custom form auth scheme
    3. Auth scheme first do a GET to http://example.com/kerberos/
    4. If return is success, you're redirected to the application
    5. If return is failure, you're redirected to another page, let's say http://example.com/fail/
    6. /fail/* is protected with your default form auth scheme
    7. After authentication is successful on /fail/, page may redirect the user to /app/ if needed.


  • 10.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 10:26 AM

    Will this work for chrome and IE both? I will try this today and see if it works.

     

    Thanks,

    Kanishak



  • 11.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 10:59 AM

    Works fine with chrome and IE9 and above.



  • 12.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 05:42 PM

    Here is the problem:

     

    it redirects to the context protected by default Kerberos auth scheme but it did not redirects to that auth scheme of creds.kcc and just fallsback to form based.

     

    When i try to access that context protected with kerberos directly it works fine and redirects to creds.kcc. So in this case i am always getting redirected to form based login.

     

    Thanks,
    Kanishak



  • 13.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 10:40 PM

    Issue might be coming as context protected by Kerberos auth scheme is xmlhttp type and does not redirect to creds.kcc? Have you tested it?



  • 14.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 10:55 PM

    Kanishak1

     

    Just out of curiosity,

     

    • what version of CA SSO are you currently on ?
    • is this work still in development stage ?

     

    The reason I ask this is because, it is good we are trying to get this to work. I built a custom solution for Kerberos failover to forms for a customer. We then stalled the entire custom work because Kerberos failover to forms is likely to be released in next version of CA SSO. I do not intend to promise (nor reveal) as Product Management would be in a better position to confirm on when and which version of CA SSO will have this OOB. So if I were in your shoe's; I'd check this via CA Account Manager to get a timeline from Product Management. Just trying to save you custom work, if you are still in development phases. Yes there'll be an upgrade involved for sure. So we just need to weigh in all factors.

     

    Regards

    Hubert



  • 15.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 11:02 PM

    We are on 12.7.02 and we have work extensively with CA services and CA support to make our IWA fallback to form work and that is also not working OOB , we have CA case running for months. Prior to it we had custom solution for Kerberos fallback to form which works in most of our flows but at times it gives windows prompt so i am thinking to go back to that solution if we can solve windows prompt with custom solution.

     

    Thanks,

    Kanishak



  • 16.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 11:12 PM

    Thank You Kanishak1 for the inputs. Could you message me the case# in a private message via communities messaging. Would like to have a read on the case, at-least be knowledgeable about it as to the anomaly.



  • 17.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 11:40 PM

    I am not sure how to send private message , Please send me your email id , i can send you case number on it.

     

    Thanks,

    Kanishak



  • 18.  Re: Kerberos fallback to form

    Posted Oct 26, 2018 04:30 AM

    @Hubert,

     

    We have CA SSO 12.8 and we are trying to achieve the same thing as @Kanishak. Any input from your end also will help us a lot.

     

    And how to send a private message through communities?



  • 19.  Re: Kerberos fallback to form

    Posted Oct 26, 2018 08:27 AM

    Kanishak1

    Add the case# here. It is OK. 

     

    jschristiein

    The way I achieved Kerb fall back to forms was using a completely different path.

     

    I used something we already have as a starting point. This was proven for IWA. I used it for Kerberos.
    https://communities.ca.com/docs/DOC-231151411  
    https://communities.ca.com/servlet/JiveServlet/download/2031-99216727-99217046-47762/winforms+select+auth+1.2.zip  

    First Step : Forget everything else and get a basic OOB Kerberos authentication scheme working. If a simple OOB Kerberos Authentication Scheme isn't working, don't even attempt customization.

    Second Step : I followed the documentation with “winforms+select+auth+1.2.zip”. However instead of using an IWA Auth Scheme I used Kerberos Authentication Scheme. Screen Shot below. Our Kerberos Auth Scheme (WAM UI) content rendering does not effectively handle the Custom Target login page. I can create a new Kerb Auth with login page target as ASP. But when I save and then try to view it keeps reverting to /kerb.kcc (seems like the current Kerb Auth Scheme is hardcoded in UI to use kerb.kcc). But as long as we are aware / knowledgeable, I can deal with it and made Customer aware how to work with it. At the end of the WAM UI representations plays a very minor role, the bigger picture is what is present within the policy store. Another thing we have identified is if a Customer ENV uses CA SSO IWA and the decides to move to Kerberos, we have to turn off CA SSO IWA and then enable CA SSO Kerberos. If we opened a browser, accessed IWA protected resource and on the same browser access Kerberos protected resource, it goes into an indefinite loop. Something from IWA (NTLMCreds etc) does not gel well with Kerberos. Am assuming it is the FCCCompatMode setting, but never had the time to investigate that as we agreed to turn off IWA. We won't have both (IWA and Kerb) enabled at the same time.

     

    WAM UI (View Mode)

    You can see that in VIEW Mode WAM UI deliberately added the default kerb target and pushed everything else down by one field. It looks messy.

     

     

    XPSExplorer (Actual's)

     

    We tested this for single factor logins and it works like a charm. We were in the process of testing Federation and OIDC usecases when we stalled this custom solution, as we received confirmation of Kerberos FO to Forms will be delivered soon.

     

     

     

    Lastly don't hold me to this statement "Kerberos Failover to Forms will be available in R12.8 SP2" - This is the statement my Customer received. Current anticipated arrival date for R12.8 SP2 is Dec 2018. You could re-verify this via your CA Account Manager. 



  • 20.  Re: Kerberos fallback to form

    Posted Oct 26, 2018 08:41 AM

    Doesn't it get redirected at all? Any errors on browser console (dev tools)?



  • 21.  Re: Kerberos fallback to form

    Posted Oct 26, 2018 09:06 AM

    It gets redirected to context protected by kerberos default but i do not see any redirection to creds.kcc(its authentication scheme) and directly it goes to fallback.

     

    But if i access that context directly in browser it works fine, so what i am assuming is that from script it is making that context xmlhttp type of request and SSOdoes not know what to do with it.

     

    have you tried this set up? Does it work?

     

    Thanks,

    Kanishak



  • 22.  Re: Kerberos fallback to form

    Posted Oct 26, 2018 11:15 AM

    Yes, it's working fine:

    1. Access /app/
    2. /app/ is protected with auth scheme loginkerberos.html which is the custom code.
    3. It does a GET to /kerberos/
    4. /kerberos/ is protected with default Kerberos auth scheme
    5. It's redirected fine to creds.kcc
    6. Auth/az is fine, it redirects back to /app/ (there is no page there, that's why the 404)

     

    This is exactly the code I'm using:

    <html>

    <head>

    <meta http-equiv="X-UA-Compatible" content="IE=edge">

    <script src="jquery-3.3.1.min.js"></script>

     

    <script>

    $(document).ready(function(){

            $.ajax({

            type: 'GET',

            xhrFields: {

                    'withCredentials': true

            },

            crossDomain: true,

            url: 'https://webservices158.lab.ca/kerberos/',

            cache: false,

            success: function () {

                    function getUrlParameter(name) {

                            name = name.replace(/[\[]/, '\\[').replace(/[\]]/, '\\]');

                            var regex = new RegExp('[\\?&]' + name + '=([^&#]*)');

                            var results = regex.exec(location.search);

                            return results === null ? '' : decodeURIComponent(results[1].replace(/\+/g, ' ').replace('-SM-','').replace('$SM$',''));

                    };

                    var target = getUrlParameter('TARGET');

                    console.log("Sucesso!");

                    window.location = target;

            },

            error: function(XMLHttpRequest, textStatus, errorThrown) {

                    function getUrlParameter(name) {

                            name = name.replace(/[\[]/, '\\[').replace(/[\]]/, '\\]');

                            var regex = new RegExp('[\\?&]' + name + '=([^&#]*)');

                            var results = regex.exec(location.search);

                            return results === null ? '' : decodeURIComponent(results[1].replace(/\+/g, ' ').replace('-SM-','').replace('$SM$',''));

                    };

                    var target = getUrlParameter('TARGET');

                    target = target.replace(/^https?:\/\/[^\/]+/g,"");

                    console.log("some error " + textStatus + " " + errorThrown);

                    console.log(XMLHttpRequest);

                    window.location = "https://portonet.lab.ca/loginpnet/";

            },

            async: false

        });

    });

    </script>

    </head>

    <h1>Redirecting to app...</h1>

    </body>

    </html>



  • 23.  Re: Kerberos fallback to form

    Posted Oct 26, 2018 12:57 PM

    Hi,

     

    It works fine if i remove the cookie provider URL , Cookie provider URL is in different domain and w eneed to have cookie provider URL , Any thoughts on how to achieve with cookie provider?

     

    Thanks,

    Kanishak



  • 24.  Re: Kerberos fallback to form

    Posted Oct 26, 2018 01:01 PM

    I would not recommend having a Cookie Provider domain different from a login domain (that causes too many redirections). Try to see if you keep Cookie Provider Agent and Login Agent (doing kerberos authentication) the same. Just a thought.



  • 25.  Re: Kerberos fallback to form

    Posted Oct 26, 2018 01:07 PM

    Yes we have to support legacy and new platform but we will eventually have cookie provider and login domain same.

     

    Redirections are fine for now but above script does not work if we have cookie provider enabled , not sure we are hitting CORS.

     

    Thanks,

    Kanishak



  • 26.  Re: Kerberos fallback to form

    Posted Oct 29, 2018 01:05 AM

    Any suggestion if i am using cookie provider in other domain than the AJAX script being hosted , i see it fails as it never redirects to creds.kcc URL but if i disable cookie provider it works fine.

     

    Please let me know if any suggestion to make it work with cookie provider.

     

    Thanks,

    Kanishak



  • 27.  Re: Kerberos fallback to form