Enable Auto Login

To enable auto login for ldt Portal and Enterprise Dashboard, IAM which handles the security layer currently supports auto login mode. This auto login functionality is based on Active Directory domain credentials using Microsoft Kerberos over SPNEGO protocol. 
dts105
To enable auto login for 
DevTest
 Portal and Enterprise Dashboard, IAM which handles the security layer currently supports auto login mode. This auto login functionality is based on Active Directory domain credentials using Microsoft Kerberos over SPNEGO protocol. 
 
 
Kerberos
 
is a network authentication protocol that provides authentication for client and server applications and supports the concept of Single Sign-On (SSO). If you are already logged in to a system that is part of a domain, you can access network services throughout a Kerberos realm without authenticating again. For HTTP, Kerberos support is provided by 
SPNEGO
 authentication mechanism.  All the browsers support SPNEGO-based authentication, but it is disabled by default for security reasons. For auto login to work, you must configure browsers to enable the SPNEGO support.
You can find the implemented auto login behavior depicted:
 Implemented Behavior 
 
Prerequisites
 
  • Configure Active Directory to contain entries for both users and their systems. Ensure that Active Directory is running on Windows Server 2003 Enterprise SP2, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012.
  • Configure Active Directory, IAM Server, and all the client systems to use a Network Time Protocol server. Ensure that time synchronization is functioning correctly before configuring Kerberos. If the time difference between the server and client is greater than the configured limit (5 minutes by default), Kerberos clients cannot authenticate to the server. 
  • If a firewall separates the Active Directory Server from IAM Server, ensure that the firewall opens TCP 88 and UDP 88 ports. The opening of these ports is necessary so that IAM can communicate with the Kerberos Server on the Active Directory Server.
  • Ensure that Domain Name Server is functioning correctly on all client and server machines before configuring Kerberos.
The mentioned table helps you understand the values that are required while Kerberos setup and configuration:
 
Reference chart for component details
:
Name
Value
Active Directory Server Hostname
adserver
IAM Server Hostname
iamserver
Active Directory Domain Name
example.com
Key Distribution Center (KDC) Server Name
adserver.example.com
Kerberos Realm Name
EXAMPLE.COM
IAM Hostname
iamserver.example.com
Service Principal Name (SPN) 
User Principal
This article helps you in setting up auto login mode in your DevTest installation with administrator privileges:
 
 
2
 
 
The following video demonstrates setting up auto login.
 

 
Auto Login Flow
Auto Login Flow
Setup Active Directory with Kerberos
Auto login feature supports only Active Directory.
The setup and configuration of Kerberos Server is platform-dependent. You can navigate through the steps to set up and configure Kerberos in Active Directory Server:
Create a Service Principal Name (SPN) User
An SPN for the server must be registered under either a built-in computer account (such as Network Service or Local System) or user account. The mentioned steps are for user account that would be used during the SPN configuration in the next step.
  1. Log in to the domain controller computer as a user with administrator permissions.
  2. Create a user account in Active Directory Server for the IAM server Kerberos authentication.
    1. In the 
      Active Directory Users and Computers
       application, navigate to 
      Action
      New
      , and 
      User
       menu.
      Create a user account 
    2. Complete the 
      First name
      Full name
      , and 
      User logon name
       fields. Click 
      Next
      .
      Complete the fields 
    3. Enter a password and confirm. Select 
      Password never expires
       and disable 
      User must change password at next logon
      . Click 
      Next
      .Enter your password 
    4. Click 
      Finish
      .
    5. Configure your account to comply with the Kerberos protocol as follows:
      1. Right-click the user in the 
        Users
         tree and select 
        Properties
        . The 
        User Properties
         form opens.
      2. Navigate to the 
        Account
         tab. Ensure that the 
        User cannot change password
         and 
        Password never expires options
         are selected.
        Configure your account 
Configure the Service Principal Name
Use the 
setspn
 command to create a service principal for the user who is created in the previous step. A service principal complies with the 
serviceclass/host
 rule. Because our web application is communicating through the HTTP protocol, HTTP is the service class and the host is fully qualified domain name (FQDN) of the IAM server.
Ensure that the SPN is unique within the domain. If you set an account to have an SPN with an IAM server, do not set the same account on another IAM server. You can search for SPNs in the domain by using the 
–q
 option. This option informs you whether there is already an account that is using that SPN.
For example, setspn -q HTTP/iamserver.example.com
Even if the IAM server uses HTTPS protocol, ensure that the service class is HTTP only. 
  1. To add a Service Principal, execute the mentioned commands in the command prompt:
    setspn -S HTTP/<hostname_of_IAM_Server> <SPN_user>
    Example:
    C:\Users\Administrator>setspn -S HTTP/iamserver example\iamadmin
    Checking domain DC=example,DC=com
    Registering ServicePrincipalNames for CN=iamadmin,CN=Users,DC=example,DC=com HTTP/iamserver
    Updated object
    setspn -S HTTP/<FQDN_of_IAM_Server> <SPN_user>
    Example:
    C:\Users\Administrator>setspn -S HTTP/iamserver.example.com example\iamadmin
    Checking domain DC=example,DC=com
    Registering ServicePrincipalNames for CN=iamadmin,CN=Users,DC=example,DC=com HTTP/iamserver.example.com
    Updated object
    • If the IAM server hostname contains uppercase characters, ensure to create the principal for the IAM server in all *lowercase*. DNS translates all hostnames to lowercase and the keytab must match exactly with the DNS reverse lookup returns. Otherwise, Kerberos authentication fails.
    • Ensure that the FQDN specified in SPN is pingable. Otherwise, the authentication would fail.
    • Avoid giving port names in SPN though the input is valid.
    • Avoid having duplicate SPNs. To verify for duplicate SPNs, use the following command syntax:
      setspn -X
      This command uses a large amount of memory to scan a large Active Directory database.
  2. To list the SPNs created, execute the mentioned command:
    setspn -L <SPNUser>
Generate Kerberos KeyTab File
A KeyTab file holds the SPN credentials for communicating with the KDC or AD Domain Controller. The 
ktpass
 command generates the KeyTab file by mapping the service principal to the user account created in the previous step. You must copy this file to IAM server.
Follow these steps to generate a Kerberos KeyTab file:
  1. To generate a KeyTab, execute the mentioned command in the command prompt:
    Syntax:
    ktpass -princ HTTP/<fully-qualified-domain-name-of-IAMserver>@<REALM_NAME> -mapuser <SPN_USER> -pass <PASSWORD> -out <FULL_PATH_OF_THE_KEYTAB_FILE_TO_SAVE_TO> -ptype KRB5_NT_PRINCIPAL
    Example:
    C:\Users\Administrator>ktpass -princ HTTP/iamserver.example.com@EXAMPLE.COM -mapUser iamadmin -pass changeit -out c:\iamadmin.keytab -ptype KRB5_NT_PRINCIPAL
    Targeting domain controller: adserver.example.com
    Using legacy password setting method
    Successfully mapped HTTP/iamserver.example.com to iamadmin
    Key created.
    Output keytab to c:\iamadmin.keytab:
    Keytab version: 0x502
    keysize 71 HTTP/iamserver.example.com@example.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x4424147a7dcd3c47c4ec3921443023bd)
    • Ensure that you create the principal for the IAM server in all lowercase characters even when your hostname contains uppercase characters as DNS translates all hostnames to lowercase. The KeyTab must match exactly with the DNS reverse lookup returns. Otherwise, Kerberos authentication fails.
    • Ensure that the FQDN specified in SPN is pingable. Otherwise, the authentication would fail.
    • Avoid giving port names in SPN.
    • Ensure that REALM_NAME specified is correct as it is case-sensitive. The case-sensitive constraint means that the principal names that are expressed in the mappings must be written using the same case as returned by a domain-name lookup. The Active Directory is not case-sensitive, while Kerberos is case-sensitive.
    • The best practice for the components of the SPN is as follows:
      • HTTP: All uppercase letters
      • FQDN of IAM server: All lowercase letters
      • DOMAIN.COM: All uppercase letters
      • The user name must not contain any spaces
    The mentioned example creates the KeyTab file "
    iamadmin.keytab
    " in "
    C:\
    " folder. 
    If you want to generate KeyTab file with various options, execute "
    ktpass ?
    " command in the command prompt. The user login name changes after the ktpass command is executed. You can use 
    -setUPN
     in the ktpass command to avoid this change.
Copy KeyTab File
Copy the keytab file that is created in the previous step to the system where the IAM server is running.
For example,
  •  
    For Windows
    : C:\Windows or C:\winnt\
  •  
    For Linux
    : /etc
The KeyTab file contains sensitive information which is used during the authentication process. So you must restrict and monitor the KeyTab file permissions, because anyone with read permissions can use all of the keys that the file contains.
Setup Kerberos Client on IAM Server
After you have generated and copied KeyTab file to the IAM Server, configure a Kerberos client on the system. The Kerberos client setup is also platform-dependent. Place the appropriate details of Kerberos realm, domain name, KDC name, crypto algorithms, and so on, in krb5.conf (Linux) or krb5.ini (Windows) to configure the Kerberos client.
A basic sample Krb5.conf file looks as mentioned:
[libdefaults]
default_realm = EXAMPLE.COM
default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC AES256-CTS-HMAC-SHA1-96
default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC AES256-CTS-HMAC-SHA1-96
permitted_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC AES256-CTS-HMAC-SHA1-96
udp_preference_limit = 1
forwardable = true
clockskew = 300
[realms]
EXAMPLE.COM = {
kdc = adserver.EXAMPLE.COM
}
[domain_realms]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Place the krb5.conf or krb5.ini files under the following paths:
  •  
    For Windows
    : c:\winnt\krb5.ini
  •  
    For Linux
    : /etc/krb5.conf
Ensure that the KeyTab file and the krb5.conf or krb5.ini files are accessible to the process under which IAM server is running.
You can specify the krb5.conf or krb5.ini file location by system property java.security.krb5.conf. Otherwise, Java tries to locate in these locations in the following order:
  1.  
    %JAVA_HOME%/lib/security/krb5.conf
     
  2.  
    %WINDOWS_ROOT%/krb5.ini
     
Configure Kerberos Authentication in IAM
If you want to authenticate with Kerberos that is backed by an Active Directory, you must first configure the LDAP Federation Provider and authentication flow in IAM.
 
Configure LDAP Federation Provider
 
Complete the following fields to enable Kerberos integration:
  •  
    Allow Kerberos Authentication
    : You can enable or disable HTTP authentication of users with Kerberos authentication. The configured LDAP Server provides the data about the authenticated users.
  •  
    Kerberos Realm
    : Provide the name of Kerberos realm in uppercase. For example: EXAMPLE.COM
  •  
    Server Principal
    : Provide the full name of server principal for HTTP service including server and domain name. The server principal name is a unique identifier of service instance. For example, HTTP/iamserver.example.com@EXAMPLE.COM
    HTTP/<FQDN>@<KERBEROS REALM>
     
    KeyTab
    : Provide the location of Kerberos KeyTab file containing the credentials of Server Principal. 
  • For example:
    • Linux: <user_home>/iamadmin.keytab
    • Windows: <user_home>\iamadmin.keytab
  •  
    Debug
    : You can enable or disable debug logging to IAM Console.
Ensure that the LDAP groups are properly added to enable auto login. For more information about defining LDAP group settings, see Define LDAP Group Settings.
 
Configure Authentication Flow in IAM
 
For more information about configuring the authentication flow in IAM, see Authentication.
Configure Browsers for Kerberos Support
You must configure browsers for Kerberos login.
Ensure that the computer placing login request automatically to the IAM server is joined to Active Directory (AD) and is logged in with a domain user account.
If the computer is not domain-joined, the system falls back to default login page.
Internet Explorer
Internet Explorer supports Integrated Windows Authentication (IWA), but needs extra configuration due to network or domain environment.
 
Prerequisites
 
  • Ensure that the client system is part of the domain.
  • Ensure that the Active Directory user can log in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group the user is in does not have this right, or if the right has been removed from the Remote Desktop Users group, this right has to be granted manually. You can log in as an administrator to manually add this right for a group the user is in:
    1. Open the 
      System Properties
       control panel applet.
    2. Select the 
      Remote
       tab.
    3. Click 
      Select Users
      .
    4. Click 
      Add
       in the dialog that appears.
    5. Select the Active Directory user and click 
      OK
      .
Follow these steps to configure Internet Explorer:
  1. Log in to the Windows Desktop with a user ID from the domain.
  2. Open the 
    Internet Explorer
     browser and select 
    Tools
    , and 
    Internet Options
    .
  3. Depending on your enterprise policy, you can define the site where the browser uses Integrated Windows Authentication. The choices are 
    Local intranet zone
     or 
    Trusted sites
    .
    • If you define the site in Trusted sites:
      1. Select the 
        Security
         tab.
      2. Select the 
        Trusted sites
         icon.
      3. Click 
        Sites
         to display the list of trusted sites.
      4. Add the IAM Server URL to enable auto login. For example, enter 
        https://hostname.domain.com
         as the URL. 
      5. Select 
        Require server verification (https:) for all sites in this zone
         checkbox depending on your site.
        Add IAM Server URL 
      6. Click 
        Close
        .
      7. Click 
        Custom level...
        .
      8. Scroll down until the bottom. Under 
        User Authentication
        , and 
        Logon
        , select 
        Automatic logon with current user name and password
         security setting.
        Automatic logon with current username and password 
      9. Click 
        OK
        .
    • If you are using the 
      Local intranet
       zone, follow these steps:
      1. Select the 
        Security
         tab.
      2. Select the 
        Local intranet
         icon.
      3. Click 
        Sites
         button to display the sites list.
      4. Ensure that you select the first two options:
        •  
          Include all local (intranet) sites not listed in other zones
           
        •  
          Include all sites that bypass the proxy server are checked
           (For older versions of IE)
          Select first two options 
      5. Click 
        Advanced
         to display the Site add window.
      6. Add the URL of the IAM server to enable auto login. For example, enter 
        http://hostname.domain.com
         as the URL.
        Add URL of IAM Server 
      7. Click 
        Close
        .
      8. Click on 
        Custom level...
         button.
      9. Scroll down until the bottom. Under 
        User Authentication
        , and 
        Logon
        , select 
        Automatic logon with current user name and password
         security setting.
        Automatic logon with current username and password 
      10. Click 
        OK
        .
  4. Select the 
    Advanced
     tab.
  5. Scroll down to 
    Security
     section and ensure that 
    Enable integrated Windows Authentication
     (requires restart) is selected.
    Enable Integrated Windows Authentication 
  6. Click 
    OK
     and restart Internet Explorer.
Google Chrome
  • On 
    Windows
    , Google Chrome uses the Internet Explorer settings. You can configure within 
    Internet Explorer Tools
    , and 
    Internet Options
     dialog. For more information about the settings, see 
    Internet Explorer
     section. You can also navigate to
     Control Panel
     and select 
    Internet Options
     within 
    Network and Internet 
    sub-category.
  • On 
    Linux
    , use 
    --auth-server-whitelist
     option to whitelist the URL in question while starting Chrome to enable SPNEGO. A comma-separated list of permitted hostnames is taken as its value. You can use an asterisk as a wildcard. Suitable values in this instance would be hostname.example.com or *.example.com:
    [[email protected]hostname.example.com]$ google-chrome --auth-server-whitelist = "hostname.example.com"
    Other options that can be set are as follows:
    --auth-negotiate-delegate-whitelist="*.example.com" (optional)
    --enable-auth-negotiate-port (optional)
  • On 
    Mac OS X
    , SPNEGO works without any additional configuration for Chrome, but only negotiates to NTLM. You can configure a setting as AuthServerWhitelist to authorize host or domain names for SPNEGO protocol message exchanges. You can configure the setting in the following methods:
    •  
      Command line
       
      Ensure that you get an initial ticket granting ticket (TGT) from your Kerberos KDC (domain controller) to request service tickets for the IWA Adapter:
      Ensure that you get an initial ticket granting ticket (TGT) from your Kerberos KDC (domain controller) to request service tickets for the IWA Adapter:
      >kinit [email protected] [email protected]'s Password: (password here)
      Now, cd into the Chrome directory and start Chrome with the 
      AuthServerWhitelist
       parameter.
      You can also set a second policy, that is, 
      AuthNegotiateDelegateWhitelist
       for pointing Chrome to a particular server.
      Specify --auth-negotiate-delegate-whitelist="*.http://hostname.example.com/" to add this parameter to the earlier mentioned command.
      If this parameter is not set, Chrome fails to delegate user credentials even if a server is detected on the Intranet.
      Once configured, this setting persists every time Chrome is launched. You have to run kinit every 10 hours to allow Chrome to request service tickets for the IWA adapter.
      >cd /Applications/Google Chrome.app/Contents/MacOS >./"Google Chrome" --auth-server-whitelist=" hostname.example.com"
    •  
      Join Mac OS to Windows Active Directory
       
      Use the following commands to set the user defaults:
      defaults write com.google.Chrome AuthServerWhitelist hostname.example.com defaults write com.google.Chrome AuthNegotiateDelegateWhitelist hostname.example.com
      If there are existing entries, add the entries that are separated by comma. Use the following commands to read the existing values:
      defaults read com.google.Chrome AuthServerWhitelist
Mozilla Firefox
Mozilla Firefox supports the SPNEGO authentication protocol, but is disabled by default for security reasons. Firefox does not use the concept of security zones like Internet Explorer, but Kerberos credentials are automatically presented to a host when explicitly configured. By default, Firefox rejects all SPNEGO challenges from any Web server. You must manually add sites (whitelist) to a trusted sites list for exchanging SPNEGO protocol messages with the browser.
On Windows and Linux, follow these steps for configuring Firefox to authenticate using SPNEGO and Kerberos:
  1. Open the Firefox browser.
  2. Enter the 
    about:config
     URL in the address bar.
    Enter about:config URL
  3. Dismiss any warnings that appear. Click 
    I accept the risk!
    .
  4. In the Search dialog, search for 
    network.negotiate-auth.trusted-uris
     preference name and double click on the same. This preference lists the trusted sites for Kerberos authentication in the dialog.
  5. Specify a comma-delimited list of trusted domains, hostnames, or URL prefixes in the popup window. Specify a domain suffix with a dot in front (that is, .example.com) to wildcard the domains.
    Example #1: hostname.example.com - Fully Qualified Domain Name (FQDN) of the host running IAM web application
    Example #2: 
    hostname.example.com
     - URL of the IAM web application
    Example #3: .example.com - domain name
    List of trusted domains, hostnames, or URL prefixes
  6. Click 
    OK
    .
If the computer is joined to AD, SPNEGO negotiates both Kerberos and NTLM in Firefox running on Mac OS X. On non-domain-joined Mac OS, only NTLM is selected as a mechanism for SPNEGO. 
Safari on Mac
Safari on Mac OS supports SPNEGO with Kerberos as a default authentication type when Mac OS is joined to Active Directory.
Configure Application for Auto Login
Enable auto login for 
DevTest
 Portal and Enterprise Dashboard by configuring the following properties in phoenix.properties and dradis.properties file respectively:
  •  
    phoenix.iam.redirectLoginToIAM
    =false
    Specifies whether to redirect the 
    DevTest
     Portal login page to IAM. Set this property to true for logging in automatically.
    Default
    : false
  •  
    phoenix.iam.clientId
    =portal_<hostname>_1507
    Specifies the clientId of 
    DevTest
     Portal that is registered with IAM. This property is used for auto or Kerberos login when phoenix.iam.redirectLoginToIAM=true.
Enable auto login for Enterprise Dashboard by configuring the following properties in dradis.properties file:
  •  
    dradis.iam.redirectLoginToIAM
    =false
    Specifies whether to redirect the Enterprise Dashboard login page to IAM. Set this property to true for logging in automatically.
    Default
    : false
  •  
    dradis.iam.clientId
    =ed_<hostname>_1506
    Specifies the clientId of Enterprise Dashboard that is registered with IAM. This property is used for auto or Kerberos login when dradis.iam.redirectLoginToIAM=true.
Access Application URL
You can verify your auto login configuration by launching the IAM URL. By default to test the login automatically, ensure that you access the FQDN. For example, https://iamserver.example.com:51111. If you auto log in to IAM, the setup is successful.
Once setup is successful, login to client system with any user in LDAP and verify the auto login success with the DevTest Portal and Enterprise Dashboard URL. Ensure that you use a fully qualified domain name.
If you change port or protocol while 
DevTest
 Portal and Enterprise Dashboard are in auto login mode, provide a new name in the clientId provided in phoenix.properties and dradis.properties file. Providing new clientId is required as the redirect URLs are created with new port or protocol configuration. If you want to create or update clients manually, see Client Settings.