In my application, I use spring security, and I just want to know what's the meaning of "realm" in HTTP config.
A realm is a credential store that enables identity or role based access control.
Java Documentation
What is a realm?
For a web application, a realm is a complete database of users and groups that identify valid users of a web application (or a set of web applications) and are controlled by the same authentication policy.
The Java EE server authentication service can govern users in multiple realms. In this release of the Application Server, the file, admin-realm, and certificate realms come preconfigured for the Application Server.
In the file realm, the server stores user credentials locally in a file named keyfile. You can use the Admin Console to manage users in the file realm.
When using the file realm, the server authentication service verifies user identity by checking the file realm. This realm is used for the authentication of all clients except for web browser clients that use the HTTPS protocol and certificates.
In the certificate realm, the server stores user credentials in a certificate database. When using the certificate realm, the server uses certificates with the HTTPS protocol to authenticate web clients. To verify the identity of a user in the certificate realm, the authentication service verifies an X.509 certificate. For step-by-step instructions for creating this type of certificate, see Working with Digital Certificates. The common name field of the X.509 certificate is used as the principal name.
The admin-realm is also a FileRealm and stores administrator user credentials locally in a file named admin-keyfile. You can use the Admin Console to manage users in this realm in the same way you manage users in the file realm. For more information, see Managing Users and Groups on the Application Server.
A realm is a security policy domain defined for a web or application server. A realm contains a collection of users, who may or may not be assigned to a group.
A realm is a security policy domain defined for a web or application
server. The protected resources on a server can be partitioned into a
set of protection spaces, each with its own authentication scheme
and/or authorization database containing a collection of users and
groups. For a web application, a realm is a complete database of users
and groups identified as valid users of a web application or a set of
web applications and controlled by the same authentication policy.
The Java EE server authentication service can govern users in multiple
realms.
https://docs.oracle.com/cd/E19798-01/821-1841/bnbxk/index.html
Related
We have a multi-tenant application in Microsoft Azure.
This app is for performing SSO on our platform using SAML.
When we try to login with a user from our tenant, everything works correctly, the certificate that arrive from the request is correct.
But when we try to login with another tenant, the request give us another certificate that is not the one we have configured in our Azure application.
Why when we try to login from another tenant, even though they have authorized us to use our application, does it not return the certificate that we have configured in our application and returns another?
We have placed on our platform the certificate that we have configured in our Microsoft Azure application.
We expect that when we log in with a user from another tenant, the certificate that we have configured in the Azure application will be returned in the response, so that it is the same as the one we we have on our platform.
We have an in-house OAuth2 server used by our applications. Now we want to use Windows SSO for our applications but without them to change anything: they'll still reach our OAuth2 server for an access token and the authentication part will be delegated to Kerberos (which Windows use, if I understood properly).
Is there a way to do that?
That is a standard setup and should just require configuration changes in the Authorization Server (AS) - with zero code changes in applications.
Most commonly:
The AS might be hosted in the cloud
It will redirect browsers to an on premise Identity Provider (IDP)
The IDP can connect to Active Directory
You may also need a fallback option for when users are not joined to the work domain. See this Curity guide for an example and some infrastructure factors to think about.
If the AS is in house it may even be able to make a direct Kerberos connection via an LDAP data source, though the preferred architecture is a separate IDP.
Of course you need an AS that supports the ability to make this type of connection, so would need to check the vendor docs.
REQUEST FLOW
Kerberos has always been the simplest protocol conceptually but the deepest to understand - here is a bit of a summary:
Your apps will make a standard OpenID Connect authorization redirect to the AS
The AS may then present an authentication selection screen to the user, unless there is only a single option
Alternatively an app can send the acr_values query parameter to say which authentication method to use
The AS will then redirect the browser to the next stage of processing, that uses a 'Windows SSO authenticator'
The redirect to the Windows SSO authenticator does not have to use OpenID Connect - it could be any vendor specific HTTP request
The browser will send an encrypted Kerberos ticket automatically by connecting to AD - a prerequisite for this to work might be that the domain in the URL is in the Local Intranet zone on end user computers
The Windows SSO authenticator will need to be able to decrypt this credential, which typically requires a Service Principal Name to be configured
Once the Kerberos ticket is decrypted, the authenticator will make an LDAP connection to an Active Directory data source via its standard LDAP endpoints, to verify the received ticket
Currently my Mac has been successfully configured to be in Active Directory Domain. (System Preferences -> Users & Groups -> Login Options -> Network Account Server)
We are developing a Mac application that has following requirements:
It should communicate with the LDAP server in Active Directory Domain and retrieve users & their attributes from LDAP server.
While communicating (bind or search) with the LDAP server, we are not allowed to explicitly specify logged-in user's credentials. (e.g. we should not prompt username / password screen to the user)
If we explicitly specify logged-in user's credentials,
• we are able to bind to the LDAP server
• we are able to search the users & their attributes in LDAP server.
If we do not specify logged-in user's credentials,
• we are able to bind to the LDAP server
• but it does not allow us to search the users & their attributes in LDAP server.
We are currently using OpenLDAP framework for LDAP operations.
Is there a way with which we can use logged-in user's credentials implicitly while communicating with the LDAP server?
Can you please guide us how we can query LDAP server (search users & their attributes in LDAP server) without specifying logged-in user's credentials explicitly.
Any kind of help is highly appreciated.
Is there a way with which we can use logged-in user's credentials
implicitly while communicating with the LDAP server?
Maybe.
IF you CAN set up Kerberos (and SPNEGO is using a WEB browser) you might be able to obtain a "ticket" that you could then use a GSSAPI to Authenticate the user.
You would probably be more secure if you used a one of the many third-party Access Manager Products to perform these services due to the inherent security risks involved.
I am trying to determine if I could use a different authentication provider for each client ID within the same spring oauth2 authorization service.
In particular, I want to allow resource owner password token grant for external users loging into our corporate websites, and implicit grant for corporate users. Corporate users are stored in our corporate Active Directory server, while external users are stored in a separate LDAP server.
Is it possible to somehow bind the AuthenticationManager to the clientId?
We are currently facing an interesting issue with regard to Kerberos authentication.
The goal is to publish a website over the internet. The authentication needs to be handled from end-to-end by Kerberos in an Active Directory-environment. The client PCs, however, may or may not be domain-joined. The files of the website are located on a file share, which should be accessed using impersonation. The webserver itself is the primary domain controller.
The schematic overview of the landscape is shown below:
The problem:
IIS is set to only allow Negotiate:kerberos Windows Authentication. This will prompt a credential dialog in the browser when the client PC is outside the local network. The domain credentials are not accepted over the internet and the Client's eventviewer shows
The Kerberos client could not locate a domain controller for domain
domain.tld: 0xC000005E. Kerberos authentication requires communicating
with a domain controller.
This is correct, because the domain's KDC is not accessible over the internet. As far as we understand, Kerberos authentication should be possible with direct client access to the KDC, since the webserver is delegated to authenticate on behalf of the end user.
Our main assumption:
Kerberos can be used as an authentication method without direct access from the Client PC to the KDC.
The things we have tried and / or are relevant:
Sub.domain.tld is in Internet Explorer's trusted sites
Serveral SPN configurations
Different application pool identities (domain acount, default account, system, network)
Disable loopbackcheck
Machines in same time zone / same time
Enabled delegation for the web server
Reproduced on a different domain with different machines (this domain had seperate machines for the web server and the domain controller)
As a note, NTLM is not possible because it lacks support for impersonation and basic authentication is not desired because it stores the user credentials on the web server.
References:
www.adopenstatic.com/cs/blogs/ken/archive/2007/07/19/8460.aspx
www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/1282.aspx
windowsitpro.com/security/kerberos-delegation-and-troubleshooting
technet.microsoft.com/en-us/library/cc995228.aspx
community.dynamics.com/ax/b/axsolutionsmonkey/archive/2009/05/20/kerberos-configuration-for-clients-accessing-role-center-from-outside-of-intranet.aspx
dirteam.com/sander/2012/09/05/new-features-in-active-directory-domain-services-in-windows-server-2012-part-10-improved-kcd/