0

I am working on implementing the windows Integrated authentication using ADFS 2.0 with kerberos

I had go through the per-requisites
configure windows Server ADDS, ADFS2.0 ,DNS, running on some xyz.com domain

I had one windows client connecting to windows server xyz.com domain

and Spring-security-saml2-sampl application on Linux env

all this domain are connected using VLAN.

For enabling windows authentication I had configured IE settings enable windows Integrated authentication, adding local intranet configuration

required. I had refer this link: http://www.cisco.com/c/en/us/support/docs/security-vpn/kerberos/118841-configure-kerberos-00.html

As per kerberos configuration on windows server I had configured 

    setspn -a HTTP/adfs01.xyz.com <ActiveDirectory user>

    setspn -a HTTP/adfs01 <ActiveDirectory user>

in my windows Client application I can see I get kerberos tickets:while running 

   klist tickets

but for while to spring-security-saml2-sample application, I am not able to authenticate

getting windows prompt again and again .and failed

what I need to configure for enable ADFS with kerberos ,

Thanks

Indrani Sen
  • 287
  • 4
  • 19
  • I wonder how this is related to ADFS and spring-security-saml2-sample application. When using Spring SAML2 then it acts as the SAML Service Provider, authentication is performed on the IdP side, which is ADFS. There is no Kerberos service ticket needed to access SAML2 integrated app. I would say you either use SAML2 or Kerberos (via SPNEGO) to achieve Web-based SSO. – Bernhard Thalmayr Dec 08 '15 at 11:20
  • while doing windows integrated authentication using this spring-security-saml2-sample webapp, browser should automatically get kerberos ticket from windows server.while processing saml request -response for authentication....For my case some how I am not able to to windows integrated authentication,I get browser continuously prompt for user and password in IE browser – Indrani Sen Dec 08 '15 at 11:44
  • also if I remove In IE settings Windows integrated configuration ie. unchecked Enable Windows Integrated authentication I am able to get SAML assertion from ADFS 2.0 service – Indrani Sen Dec 08 '15 at 11:51
  • most likely because IE is sending NTLM token, which is also handled by ADFS IdP, which then sends SAML AuthResponse to Spring SAML SP. Authentication itself is out of scope of SAML, SAML is standards-based WebSSO – Bernhard Thalmayr Dec 08 '15 at 17:22
  • Just use SAML trace plugin and you can follow the SAML protocol flow (if some front-channel binding is used) – Bernhard Thalmayr Dec 08 '15 at 17:23
  • for tracing I had used fiddler,I can see saml assertion return from ADFS server, after resolving my issue, by setting proper SPN – Indrani Sen Dec 09 '15 at 13:54

1 Answers1

1

I had figure out my issue by setting SPN( service principal name ) to the user of ADFS2.0 logon account ,instead of setting spn on random account. refereed this link :

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Cookbookcol_Setting_up_ADFS_for_integrated_Windows_authentication_lprIWArpr_

and my IE settings:

Enabled windows Integrated authentication.

Put ADFS server ie windows server: in local intranet sites

In local intranet setting --> custom level --> Added user Authentication : Automatic logon in Intranet zones

Indrani Sen
  • 287
  • 4
  • 19
  • This is working in IE but not for chrome. Any idea? – Bhushan Karmarkar May 08 '19 at 05:30
  • For chromse "system logon credentials" (Kerberos authentication mechanism) To configure chrome you need to start application with the following parameter: auth-server-whitelist - Allowed FQDN - Set the FQDN of the IdP Server.Example: chrome --auth-server-whitelist="*aai-logon.domain-a.com" – Indrani Sen May 10 '19 at 11:28
  • check post link might help https://serverfault.com/questions/823307/configuring-google-chrome-to-connect-to-ad-configured-with-kerberos-and-using-ad – Indrani Sen May 10 '19 at 11:28
  • didn't work. --auth-server-whitelist parameter is obsolete in latest chrome versions. Actually, chrome uses IE settings, but somehow it is not working. Also checked with editing registry entries as stated in 3rd answer here : https://stackoverflow.com/questions/7800938/how-to-enable-auto-logon-user-authentication-for-google-chrome – Bhushan Karmarkar May 13 '19 at 07:22