Kerberos integration without Windows module

This topic has 11 replies, 2 voices, and was last updated 7 years, 2 months ago by Skeggy88.

  • Author
    Posts
  • #3221
     Skeggy88
    Participant

    Hi everyone,
    I did a SSO with forgerock openAM and OpenID and actually I want to integrate some kerberos services.
    I have a linux environment, with ubuntu server 14.04 and OpenLDAP.

    I’d like to have authentication on OpenAM and then generate a Kerberos TGT.
    I think that I can use a Post-Authentication module that exchanges informations with the KDC, obtain the token and so on…
    The problem is that I know the username but I can’t retrieve the user password to execute the kinit command.
    Any suggestion??
    Thanks,
    Veronica

    #3222
     Victor Ake
    Participant

    Veronica,
    Why inventing the round wheel again? The “Windows Desktop SSO” module will work with Kerberos in Linux as well. The name might be deceiving, but the module is using the GSS-API, so it should work fine with any MIT Kerberos.
    Cheers,

    #3223
     Skeggy88
    Participant

    But with that module I can login in browser without change all the other application that I actually have in SSO?
    Furthermore, where are tokens (tickets) stored?
    Thank for your reply

    • This reply was modified 7 years, 3 months ago by Skeggy88.
    #3225
     Victor Ake
    Participant

    You can use a chain of modules if you like, i.e. have more than one module to be passed successful to be able to authenticate, or optionally select to succeed with only one module.

    Did I get it right, you want to use an external Kerberos KDC to authenticate in OpenAM, not the other way around?

    #3226
     Skeggy88
    Participant

    No, I want to login in OpenAM and then obtain a kerberos ticket.
    The authentication should happen in openAM and kerberos should trust forgerock and generate a ticket for the user without need the password again (If openAM says that the user is authenticated, kerberos accepts it)

    #3227
     Skeggy88
    Participant

    Or better, is possible a token conversion from OpenAM token to Kerberos ticket?
    Thanks again.

    #3228
     Victor Ake
    Participant

    But you need to be authenticted in the KDC to obtain a ticket.

    The way the WinSSO OpenAM Authentication Module works is by trusting that the KDC has already authenticated the user.

    If the user is already authenticated in the KDC, then you don’t need to authenticate it, the WinSSO module will pass, and it will obtain the Kerberos ticket you need.

    The SSO Token does not contain credentials, so you can not obtain the password needed by the KDC to obtain a Kerberos ticket.

    What are you trying to do?

    #3229
     Victor Ake
    Participant

    Here more info about how the WinSSO Module works in OpenAM:
    https://wikis.forgerock.org/confluence/display/openam/How+does+OpenAM+work+with+Windows+Desktop+SSO

    • This reply was modified 7 years, 3 months ago by Victor Ake.
    #3231
     Skeggy88
    Participant

    Ok, I understand but I need to know where the kerberos tickets are stored (in the client machine or KDC/OpenAM server) and if this ticket can be used by the client machine (for example performing ssh).
    Do you have more docs about this subject?
    Thank for your help

    #3246
     Skeggy88
    Participant

    I followed the guide that you sent me. The error 401 disappear after browser settings and I can login into openAM. But I can’t access with a user that is only present on Kerberos DB (and not in OpenID).
    Furthermore, I’d like to know where the kerberos tickets are stored (in the client machine or KDC/OpenAM server) and if this ticket can be used by the client machine (for example performing ssh).
    Thanks,
    Veronica

    #3260
     Victor Ake
    Participant

    Have you tried disabling the parameter “User Profile” Required in the “All Core Settings” of the Authentication tab for the realm? That will allow you to authenticate in OpenAM without the need of having a profile in OpenAM.

    If you see the diagram I referred to, you will see:

    6. The TGT obtained by the user’s browser is returned to the OpenAM.
    7. OpenAM decrypts the TGT with the previously configured key
    8. OpenAM Authenticates the user with the KDC/AD by using the Kerberos
    decrypted ticket

    So the module gets a TGT, because the browser negotiates the TGT with the KDC, and it gets inserted in the Authorization header. You can check the source code of the module, and check a little bit on how Kerberos work to see if you can implement what you want.

    Or Perhaps what you want is to create a PAM module in your Unix servers that are able to consume an OpenAM SSO Token, instead, if what you want is to SSH?

    Cheers,

    #3263
     Skeggy88
    Participant

    Yes, I disabled it but never changed.
    I have already written a custom PAM module to use for Samba login (web samba client), but I can’t do the same with SSH (not web).
    Thanks for all your advices, I’ll try again and again :P
    Bye,
    Veronica

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?