It appears that with Java 6 I was able to get the logged in users TGT to generate a Service Ticket; however, when I switch to Java 7 I can no longer get the TGT. Debug shows "Found no TGT's in LSA". I am on the same Windows 7 machine and just make the switch within Eclipse.
I have found solutions that others have tried like adding the AllowTgtSessionKey registry, not logging in as local Admin, and disabling UAC. I have tried all of these and none seem to work and I wouldn't expect a customer to need to do any of these.
So, has anyone implemented this successfully where a user can gain access to a Rich Client just using his already logged in Windows credentials? I am looking for a pure Java solution for our Rich Client as well as or Web Client. Is there a better pure Java solution?
Related
Am not getting the perfect answer for my requirement. Please find the detailed requirement in Lyman English.
I have an application which is installed in Websphere Application Server 8.5 version.
Got a requirement for me to create a dashboard where in we can see the server status like whether the JVM is up or down, EAR deployed date etc.
Dashboard needs to be accessed from Internet explorer on Windows Desktop.
Could you let me know how to achieve this?
Note: Websphere is installed on Linux and IE is on Windows.
Thanks,
Nithin
This is quite broad question, so I'll just give you options that you will have to explore further by your own and choose the one that suits you best.
From the easiest one:
Use built-in admin console - WebSphere provides admin gui, if you dont want to allow users to change anything just give the user monitor role. He will be able to check server status, application status etc...
Use monitoring tool already available, like IBM Health Center, JConsole or 3rd party - I know, not the browser solution but maybe will fit your need
Install and use PerfServlet - it will give you WebSphere statistics in XML format. You can write your app to query that servlet for required params, then parse and present output
Finally use MBean API and write your custom monitoring app - the most difficult but also the most flexible.
Looking at your question, I'd suggest you to stay with option 1).
I have some Web API applications that uses OWIN for authentication. Currently they are hooked up to Google and Facebook. I have them installed in multiple environments (local, dev, test, etc). Recently ALL of my applications in my development environment started failing. When trying to authenticate I would get a response back "access_denied". The URL would look like this:
https://{mydevserver}/{mywebapiapp}/#error=access_denied
The same code base works locally as well as in my test environment.
I tried using the same project (just adding redirect uris and orgins) as well as creating a new project.
I also updated my test environment to use the dev project (id and secret).
Nothing seems to have changed on the server recently. But it seems to be environment specific (because multiple applications are affected as well as multiple providers).
Are there any logging techniques I can use to drill down to a more detailed error message? Any tips or hints for what to try next?
The fix was a bit of an odd one. I had to log into my server, open up a browser and connect to a web page (any page). After doing so it started working again.
So I've been tasked to develop some enterprise web applications, but our users hate logging in to every site. After our users authenticate to eDirectory, is it possible to provide a Single Sign On feature for them. I know it's possible to do with AD, but I was wondering if anyone has actually done it with Novell?
Currently, I'm testing out solutions on WAMP (Apache 2.2). I was looking into mod_auth_sspi but I'm not sure if it will work with Novell.
The typical issue on these setups is how you are going to pass credentials from the Browser to the Web Application. You can setup Kerberos on eDirectory which should work similar to Microsoft Active Directory using GSSAPI which is vendor independent.
You may need to make some changes to browser settings to make any of these work seamlessly.
However, SPPI is a proprietary variant of GSSAPI with extensions and very Windows-specific data types and AFIK, will not work easily with eDirectory or browsers other than IE.
If possible, look into a Access Manager product that will be (at least nearly) seamless. Most will allow any(?) WEB based application to utilize SSO in one form or another.
-jim
I have a web app that uses some backend servers (UNC, HTTP and SQL). To get this working I need to configure ServicePrincipalNames for the account running the IIS AppPool and then allow kerberos delegation to the backend services.
I know how to configure this through the "Delegation" tab of the AD Users and Computers tool.
However, the application is going to be deployed to a number of Active Directory environments. Configuring delegation manually has proved to be error prone and debugging the issues misconfiguration causes is time consuming. I'd like to create an installation script or program that can do this for me.
Does anyone know how to script or programmatically set constrained delegation within AD?
Failing that how can I script reading the allowed services for a user to validate that it has been setup correctly?
OK, after much digging on the internet and some testing, I've got a way forward.
The following code is c#.
Setting an SPN for a user or computer can be achieved via the setspn utility.
Alternatively, the following C# code can do the same:
DirectoryEntry de = new DirectoryEntry("LDAP://"+usersDN);
if (!de.Properties["servicePrincipalName"].Contains(spnString))
{
de.Properties["servicePrincipalName"].Add(spnString);
de.CommitChanges();
}
To set constrained delegation:
if (!de.Properties["msDS-AllowedToDelegateTo"].Contains(backendSpnString))
{
de.Properties["msDS-AllowedToDelegateTo"].Add(backendSpnString);
de.CommitChanges();
}
If the user has had non-constrained delegation enabled, you may need to turn this off before enabling constrained - but I didn't fully test this scenario.
Let's say we have an application that has a number of features and each feature as a permission set of users that are allowed to use that feature. The application is designed to be always-on, but at different times during the day we want different users to log on and use it.
Rather than reinvent the wheel and create yet another user account and password system, we'd like to use built-in Windows user accounts (for authentication) and Windows groups (for feature access).
Is it possible to leave the application running but have different users come along and log in and log out of the application without logging out of the Windows session?
There is a mechanism called Impersonation (link points to .NET documentation, but the core Windows APIs provide similar features). It allows you to programmatically run code in a context of a different user than the one currently being logged in. There are, however, other security implications to the model you describe. In particular: how do you protect the rest of the workstation your program is running on?
Well, you could certainly have the application get the user's windows credentials. You could also simply query for group membership without requesting any credentials. More specific information will help with a more specific answer. For instance, what language are you working in?