Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User
Anonymous_User Absent Member.
Absent Member.
‎2016-09-22 14:14
1240 views

Integrating Kerberos contract in reverse proxy


Hi All,

I'm doing an POC on Kerberos and fallback class integration.
Can somebody tell me how can I integrate Kerberos contact in a protected
resource.

Completed the following things before I'm doing this.

*Prerequisites checked

*Configuring the AD part is completed
-> Configured the user account
-> Created the key tab file

* Identity server configurations completed
-> Userstore, class, Method is created
-> bcslogin file created, keytab copied
-> Verified the configuration.(received the commit succeeded)

*Reverse proxy configuration completed.
-> reverse proxy is created.

* Now need to know what all things required for the integration of
Kerberos in reverse proxy and steps for that.

Thanks,
Agnel


--
Agnel_Vincent
------------------------------------------------------------------------
Agnel_Vincent's Profile: https://forums.netiq.com/member.php?userid=8450
View this thread: https://forums.netiq.com/showthread.php?t=56609

0 Likes
Reply
15 Replies
ncashell1
ncashell1 Absent Member.
Absent Member.
‎2016-09-23 08:14

Re: Integrating Kerberos contract in reverse proxy

Hi Agnel, looks like you did pretty much everything. You simply need to create the kerb contract (you did class/method), and assign it to the protected resource you created on the proxy. An area where things often go wrong is with the browser settings - here's a few TIPs depending on browser you use:

# If you are using Internet Explorer, configure the browser to trust the IDP:

Click Tools > Internet Options > Security > Local intranet > Sites > Advanced.

In the Add this website to the zone field, enter the Base URL for the IDP, then click Add.

In the configuration example, this URL is idplogin.netiq.com.

Click Close, then click OK.

Click Tools > Internet Options > Advanced.

Verify in the Security section that Enable Integrated Windows Authentication is selected, then click OK.

Restart the browser.

# If you are using Firefox, configure the browser to trust the IDP:

In the URL field, specify about:config.

In the Filter field, specify network.n.

Double-click network.negotiate-auth.trusted-uris.

This preference lists the sites that are permitted to engage in SPNEGO Authentication with the browser. Specify a comma-delimited list of trusted domains or URLs.

For this example configuration, add idplogin.netiq.com to the list.

Click OK, then restart your browser.

HTH, Neil
0 Likes
Reply
Anonymous_User
Anonymous_User Absent Member.
Absent Member.
‎2016-09-27 07:04

Re: Integrating Kerberos contract in reverse proxy


Thanks for your reply Neil. Will do it.

Just wanted to know one more thing, do we need to get anymore
information regarding the application in which we are going access using
Kerberos authentication.
Because as per the document I have created an Identity injection policy
to inject the Kerberos token to the header. But how can I confirm
whether the configuration given are correct or wrong?

Thanks,
Agnel


--
Agnel_Vincent
------------------------------------------------------------------------
Agnel_Vincent's Profile: https://forums.netiq.com/member.php?userid=8450
View this thread: https://forums.netiq.com/showthread.php?t=56609

0 Likes
Reply
edmaa
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2016-09-27 10:52

Re: Integrating Kerberos contract in reverse proxy

On 9/27/2016 4:04 PM, Agnel Vincent wrote:
>
> Thanks for your reply Neil. Will do it.
>
> Just wanted to know one more thing, do we need to get anymore
> information regarding the application in which we are going access using
> Kerberos authentication.
> Because as per the document I have created an Identity injection policy
> to inject the Kerberos token to the header. But how can I confirm
> whether the configuration given are correct or wrong?

I'm a little confused, you are saying you want kerberos authentication.
Is that to the Identity Provider (as per your first post, which is what
you configured) but now you are saying you are going to inject a
kerberos token?

Is the back end application using kerberos authentication?



--
Cheers,
Edward
0 Likes
Reply
Anonymous_User
Anonymous_User Absent Member.
Absent Member.
‎2016-09-27 11:44

Re: Integrating Kerberos contract in reverse proxy


Hi,

The back end application is working on a form fill authentication. We
want the user who logged to AD have the Kerberos authentication.
For that we have created an reverse proxy and now trying to incorporate
Kerberos in it.

Thanks,
Agnel


--
Agnel_Vincent
------------------------------------------------------------------------
Agnel_Vincent's Profile: https://forums.netiq.com/member.php?userid=8450
View this thread: https://forums.netiq.com/showthread.php?t=56609

0 Likes
Reply
edmaa
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2016-09-27 12:04

Re: Integrating Kerberos contract in reverse proxy

On 9/27/2016 8:44 PM, Agnel Vincent wrote:
>
> Hi,
>
> The back end application is working on a form fill authentication. We
> want the user who logged to AD have the Kerberos authentication.
> For that we have created an reverse proxy and now trying to incorporate
> Kerberos in it.
>
> Thanks,
> Agnel
>
>
Ah ok, then as per Neil's direction, assign the kerberos contract to the
protected resource. That should do it.

--
Cheers,
Edward
0 Likes
Reply
Anonymous_User
Anonymous_User Absent Member.
Absent Member.
‎2016-09-30 07:55

Re: Integrating Kerberos contract in reverse proxy


Hi All,

Just one more doubt. In my case the user is having separate ID's and
Passwords to enter into AD and Application.
But we need to have the Kerberos enabled only when the user is logged
into the AD. Is this possible?

Thanks,
Agnel


--
Agnel_Vincent
------------------------------------------------------------------------
Agnel_Vincent's Profile: https://forums.netiq.com/member.php?userid=8450
View this thread: https://forums.netiq.com/showthread.php?t=56609

0 Likes
Reply
edmaa
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2016-09-30 14:13

Re: Integrating Kerberos contract in reverse proxy

On 9/30/2016 4:55 PM, Agnel Vincent wrote:
>
> Hi All,
>
> Just one more doubt. In my case the user is having separate ID's and
> Passwords to enter into AD and Application.
> But we need to have the Kerberos enabled only when the user is logged
> into the AD. Is this possible?

You'll need to pull this information out of the directory stored on each
user object. I guess the username is straight forward but I'm not sure
how you manage the password.

Do you have Identity Manager? If so, enable password sync?


--
Cheers,
Edward
0 Likes
Reply
Anonymous_User
Anonymous_User Absent Member.
Absent Member.
‎2016-09-30 14:27

Re: Integrating Kerberos contract in reverse proxy


When I test the configuration I'm getting the following error in the
Browser.

"Content was blocked because it was not signed by a valid security
certificate"
I added the site to trusted sites, enabled Integrated Windows
Authentication, imported external certificate for the application.

But still I'm getting this error.

Thanks,
Agnel


--
Agnel_Vincent
------------------------------------------------------------------------
Agnel_Vincent's Profile: https://forums.netiq.com/member.php?userid=8450
View this thread: https://forums.netiq.com/showthread.php?t=56609

0 Likes
Reply
edmaa
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2016-09-30 14:57

Re: Integrating Kerberos contract in reverse proxy

On 9/30/2016 11:27 PM, Agnel Vincent wrote:
>
> When I test the configuration I'm getting the following error in the
> Browser.
>
> "Content was blocked because it was not signed by a valid security
> certificate"
> I added the site to trusted sites, enabled Integrated Windows
> Authentication, imported external certificate for the application.
>
> But still I'm getting this error.
>
> Thanks,
> Agnel
>
>
Did you actually imported the trusted root or just the cert?

--
Cheers,
Edward
0 Likes
Reply
Anonymous_User
Anonymous_User Absent Member.
Absent Member.
‎2016-09-30 15:14

Re: Integrating Kerberos contract in reverse proxy


yes imported the certificate and it is showing in the External Trusted
roots.

Thanks,
Agnel


--
Agnel_Vincent
------------------------------------------------------------------------
Agnel_Vincent's Profile: https://forums.netiq.com/member.php?userid=8450
View this thread: https://forums.netiq.com/showthread.php?t=56609

0 Likes
Reply
edmaa
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2016-09-30 22:32

Re: Integrating Kerberos contract in reverse proxy

On 10/1/2016 12:14 AM, Agnel Vincent wrote:
>
> yes imported the certificate and it is showing in the External Trusted
> roots.

Somehow I doubt you imported the correct trusted root. Can you provide a
screenshot of the error and firefox (i guess you're using FF as you're
talking about external trusted roots)


--
Cheers,
Edward
0 Likes
Reply
Anonymous_User
Anonymous_User Absent Member.
Absent Member.
‎2016-10-02 11:24

Re: Integrating Kerberos contract in reverse proxy


Hi Edward,

PFA the screenshot of the error I'm getting.

486

Thanks,
Agnel


+----------------------------------------------------------------------+
|Filename: Kerb_Error.png |
|Download: https://forums.netiq.com/attachment.php?attachmentid=486 |
+----------------------------------------------------------------------+

--
Agnel_Vincent
------------------------------------------------------------------------
Agnel_Vincent's Profile: https://forums.netiq.com/member.php?userid=8450
View this thread: https://forums.netiq.com/showthread.php?t=56609

0 Likes
Reply
edmaa
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2016-10-03 12:51

Re: Integrating Kerberos contract in reverse proxy

On 10/2/2016 9:24 PM, Agnel Vincent wrote:
>
> Hi Edward,
>
> PFA the screenshot of the error I'm getting.
>
> 486
>
> Thanks,
> Agnel
>
>
> +----------------------------------------------------------------------+
> |Filename: Kerb_Error.png |
> |Download: https://forums.netiq.com/attachment.php?attachmentid=486 |
> +----------------------------------------------------------------------+
>
What browser is this?

--
Cheers,
Edward
0 Likes
Reply
Anonymous_User
Anonymous_User Absent Member.
Absent Member.
‎2016-10-05 10:04

Re: Integrating Kerberos contract in reverse proxy


The browser I'm using is Internet Explorer.
Currently i'm getting the "Error:Unable to complete request at this
time. " error. Do you know why it is happening?

Thanks,
Agnel


--
Agnel_Vincent
------------------------------------------------------------------------
Agnel_Vincent's Profile: https://forums.netiq.com/member.php?userid=8450
View this thread: https://forums.netiq.com/showthread.php?t=56609

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.