Kerberos Authentication Support for SM Backend Application (Servlets) & Connect.It SM Connector

Idea ID 2751729

Kerberos Authentication Support for SM Backend Application (Servlets) & Connect.It SM Connector

This idea is about to enhance the Service Manager Backend Application servlets & Connect.It ServiceManager Connector to support Kerberos Authentication.

We refer here to Service Manager 9.6x Codeless/Classic.

At a customer in Zurich the IT Security Architecture decided to deprecate NTLMv2 authentications with the intention to use and support Kerberos Authentication only.

Currently we have Single Sign On based on Kerberos configured and support for all users access Service Manager through the webtier.

But we are still operating several SM Servlets configured for LDAP Authentication to support for instance

- REST Webservices Integrations

- Connect.It Interfaces

The only option current offered by the Backend Application is TSO (Trusted Sign On). TSO is not an option at all since it requires to generate a certificate for each Client and import on the server into the trusted client keystore. This would creating a lot of maintenance efforts and will certainly not be accepted by the Webservice consumers (we are aware that a shared certificate could be used as well, but we do not consider this to be secure).

The current LDAP Authentication in SM is based on NTLMv2. NLTMv2 is quite an old technology and today not considered to be secure anymore.

Furhter Information why NTLMv2 should not be used anymore:

NTLMv1 hashes could be cracked in seconds with today’s computing since they are always the same length and are not salted.

NTLMv2 is a little better, since it variable length and salted hash, but not that much better. Even though hash it`s salted before it`s sent, it`s saved unsalted in a machine’s memory.
And off course, when we talk about NTLM, we talk about a challenge/response mechanism, which exposes its password to offline cracking when responding to the challenge.

Kerberos provides several advantages over NTLM:
- More secure: No password stored locally or sent over the net.
- Best performance: 
improved performance over NTLM authentication.
- Delegation support: 
Servers can impersonate clients and use the client's security context to access a resource.
- Simpler trust management: Avoids the need to have p2p trust relationships on multiple domains environment.

- Supports MFA (Multi Factor Authentication)



Tags (1)
1 Comment
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
Status changed to: Waiting for Votes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.