Wiki source code of Einmalanmeldung
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
15.1 | 1 | //Single sign-on// for {{smallcaps}}Ntlm{{/smallcaps}} and Kerberos is a {{formcycle/}} license module which is subject to additional costs. |
 |
11.2 | 2 | |
| |
1.1 | 3 | {{content/}} |
| 4 | |||
| |
15.1 | 5 | {{figure image="single_sign_on_ntlm_en.png" width="600"}} |
| 6 | User interface for setting up {{smallcaps}}Ldap{{/smallcaps}} authentication via {{smallcaps}}Ntlm{{/smallcaps}}. Available only if the license allows it. | ||
 |
8.3 | 7 | {{/figure}} |
| |
1.1 | 8 | |
| |
15.1 | 9 | {{smallcaps}}Ntlm{{/smallcaps}} (NT LAN Manager) can be used to authenticate users of a form. |
| |
1.1 | 10 | |
| |
15.1 | 11 | A common use case are forms used internally by some company, and that may be accessed only by the employees of that company. The user data of the active directory can be accessed via {{smallcaps}}Ntlm{{/smallcaps}}. |
| 12 | |||
| |
1.1 | 13 | {{info}} |
| |
15.1 | 14 | {{smallcaps}}Ntlm{{/smallcaps}} may not be available depending on your license. |
| |
1.1 | 15 | {{/info}} |
| 16 | |||
| |
15.1 | 17 | == Using NTLM == |
| |
1.1 | 18 | |
| |
15.1 | 19 | Activate this option to use {{smallcaps}}Ntlm{{/smallcaps}}. |
| |
1.1 | 20 | |
| |
15.1 | 21 | === Synchronize with {{fserver/}} === |
| |
1.1 | 22 | |
| |
15.1 | 23 | Activate this option to transmit the current configuration to all connected and available {{fserver number="plural"/}} when saving these settings. |
| |
1.1 | 24 | |
| |
15.1 | 25 | === Domain controller host === |
| |
1.1 | 26 | |
| |
15.1 | 27 | The host (FQN) of the active directory controller used for authenticating users via {{smallcaps}}Ntlm{{/smallcaps}} and transmitting their data over {{smallcaps}}Ldap{{/smallcaps}}. |
| |
1.1 | 28 | |
| |
8.10 | 29 | {{code language="none"}} |
| |
15.1 | 30 | Example: domain.example.com |
| |
1.1 | 31 | {{/code}} |
| 32 | |||
| |
15.1 | 33 | Connection to the {{smallcaps}}Ldap{{/smallcaps}} server for the {{smallcaps}}Ldap{{/smallcaps}} search account has been established successfully |
| |
1.1 | 34 | |
| |
15.1 | 35 | == NTLM authentication == |
| |
1.1 | 36 | |
| |
15.1 | 37 | The following settings are required for enabling users to authenticate via {{smallcaps}}Ntlm{{/smallcaps}}. |
| |
1.1 | 38 | |
| |
15.1 | 39 | === Host name of the domain controller host === |
| |
1.1 | 40 | |
| |
15.1 | 41 | The host name of the active directory controller. |
| 42 | |||
| |
8.10 | 43 | {{code language="none"}} |
| |
15.1 | 44 | Example: domain |
| |
1.1 | 45 | {{/code}} |
| 46 | |||
| |
15.1 | 47 | === Windows domain name === |
| |
1.1 | 48 | |
| |
15.1 | 49 | Different forms of the domain name can be used depending on the active directory. |
| |
1.1 | 50 | |
| |
8.10 | 51 | {{code language="none"}} |
| |
15.1 | 52 | Example: example.de oder example0 |
| |
1.1 | 53 | {{/code}} |
| 54 | |||
| 55 | {{info}} | ||
| |
15.1 | 56 | Here you must specify the domain name to which the user accounts to be authenticated belong. |
| 57 | This domain name may be different from the domain of the computer account (This is the computer's NetBIOS name, not the DNS / FQDN name). | ||
| |
1.1 | 58 | |
| |
15.1 | 59 | The Windows domain name to be used can be determined, for example, by opening a Windows console (//Start / Run / cmd//) on a client logged into the domain and entering the following command: |
| |
1.1 | 60 | **echo %userdomain%** |
| 61 | {{/info}} | ||
| 62 | |||
| |
15.1 | 63 | === Computer account === |
| |
1.1 | 64 | |
| |
15.1 | 65 | The computer account must have been granted permission to perform user verification. It **must not be** a regular user account. |
| |
1.1 | 66 | |
| 67 | {{info}} | ||
| |
15.1 | 68 | A computer account is recognizable by the '$' character in the domain name. e.g. example$@domain.de |
| |
1.1 | 69 | {{/info}} |
| 70 | |||
| |
15.1 | 71 | Help pages of ca technologies on [[creating a computer account for NTLM authentication on active directory server.>>https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-3/policy-assertions/assertion-palette/access-control-assertions/require-ntlm-authentication-credentials-assertion/creating-a-computer-account-for-ntlm-authentication.html||rel="__blank" title="Creating a Computer Account for NTLM Authentication"]] |
| |
1.1 | 72 | |
| |
15.1 | 73 | === computer account password === |
| |
1.1 | 74 | |
| |
15.1 | 75 | Password of the computer account. |
| |
1.1 | 76 | |
| |
15.1 | 77 | == LDAP user lookup == |
| |
1.1 | 78 | |
| |
15.1 | 79 | The following settings concern the user lookup after a successful {{smallcaps}}Ntlm{{/smallcaps}} authenication. |
| |
1.1 | 80 | |
| 81 | === Port === | ||
| 82 | |||
| |
15.1 | 83 | The port for connecting to the {{smallcaps}}Ldap{{/smallcaps}} server for the user lookup. |
| |
1.1 | 84 | |
| |
15.1 | 85 | === SSL encryption === |
| |
1.1 | 86 | |
| |
15.1 | 87 | Enables SSL encryption when communicating the the {{smallcaps}}Ldap{{/smallcaps}} server. |
| |
1.1 | 88 | |
| |
15.1 | 89 | === Hop count === |
| |
1.1 | 90 | |
| |
15.1 | 91 | The number of hop counts or referrals. Setting this to 0 disables following references. |
| |
1.1 | 92 | |
| |
15.1 | 93 | === User account (with domain) === |
| |
1.1 | 94 | |
| |
15.1 | 95 | Account to be used for looking up users. It must have been granted permission to perform user lookup. |
| |
1.1 | 96 | |
| |
8.10 | 97 | {{code language="none"}} |
| |
15.1 | 98 | Example: ldap@example.de |
| |
1.1 | 99 | {{/code}} |
| 100 | |||
| |
15.1 | 101 | === User account password === |
| |
1.1 | 102 | |
| |
15.1 | 103 | Password of the user account. |
| |
1.1 | 104 | |
| |
15.1 | 105 | === Base DN für user lookup === |
| |
1.1 | 106 | |
| |
15.1 | 107 | {{smallcaps}}Ldap{{/smallcaps}} base DN used for looking up authenticated users. |
| |
1.1 | 108 | |
| |
8.10 | 109 | {{code language="none"}} |
| |
15.1 | 110 | Example: ou="users", dc="example", dc="de" |
| |
1.1 | 111 | {{/code}} |
| |
1.4 | 112 | |
| 113 | |||
| |
15.1 | 114 | |
| 115 | == Settings for Kerberos authentication == | ||
| 116 | |||
| 117 | {{figure image="single_sign_on_kerberos_en.png" width="600"}} | ||
| 118 | User interface for editing the settings for Kerberos authentication. Available only when the license includes this option. | ||
| |
2.1 | 119 | {{/figure}} |
| |
1.4 | 120 | |
| |
15.1 | 121 | Kerberos can be used to authenticate form users. This is often used for internal forms meant only for the employees of a company. The data of the current user can be retrieved from an active directory as well. |
| |
1.4 | 122 | |
| |
15.1 | 123 | Kerberos authentication is available only when the license includes this option. |
| |
1.4 | 124 | |
| |
15.1 | 125 | === Use Kerberos === |
| |
1.4 | 126 | |
| |
15.1 | 127 | Activate this switch to enable Kerberos authentication. |
| |
1.4 | 128 | |
| |
15.1 | 129 | === Synchronize with frontend server === |
| |
1.4 | 130 | |
| |
15.1 | 131 | When activated, all changes to the configuration will be sent to all available frontend servers. |
| |
1.4 | 132 | |
| |
15.1 | 133 | === Username === |
| |
1.4 | 134 | |
| |
15.1 | 135 | The Window Domain account required for accessing the Key Distribution Center (KDC) and beginning the authentication process. |
| |
1.4 | 136 | |
| |
15.1 | 137 | Normally this is the user account of the active directory that is setup as a service account. |
| 138 | |||
| |
1.4 | 139 | {{info}} |
| |
15.1 | 140 | When no //default_realm// has been specified in the section //[libdefaults]// of the file //krb5.conf//, you will need to enter the username with a domain (FQDN). |
| 141 | Example: user@EXCAMPLE.COM | ||
| |
1.4 | 142 | {{/info}} |
| 143 | |||
| |
10.1 | 144 | {{info}} |
| |
15.1 | 145 | To this user you must, in Active Directory for example, register the Domians to be used as ServiePrincipalName beginning with the service class HTTP. You can find more information [[here>>https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx||target="_blank"]] or [[here>>https://docs.microsoft.com/en-us/windows-server/networking/sdn/security/kerberos-with-spn||target="_blank"]]. |
| |
10.1 | 146 | {{/info}} |
| 147 | |||
| 148 | (% class="wikigeneratedid" %) | ||
| |
15.1 | 149 | === Password === |
| |
1.4 | 150 | |
| |
15.1 | 151 | Password of the service account. |
| |
1.4 | 152 | |
| |
15.1 | 153 | === File krb5.conf === |
| |
1.4 | 154 | |
| |
15.1 | 155 | Enter the content of the file //krb5.conf//, ie. the configuration file for Kerberos. |
| |
1.4 | 156 | |
| |
15.1 | 157 | Among other settings, the available encryption methods, the current real and its mapping to a KDC should be set. |
| |
1.4 | 158 | |
| |
15.1 | 159 | ==== File structure ==== |
| |
1.4 | 160 | |
| |
15.1 | 161 | The file format is similar to Windows INI files. It contains of individual sections, introduced by their names in brackets. Each section may or may not contain several key-value pairs: |
| 162 | |||
| 163 | {{code language="javascript" title=""}} | ||
| |
1.4 | 164 | foo = bar |
| 165 | {{/code}} | ||
| 166 | |||
| |
15.1 | 167 | or |
| |
1.4 | 168 | |
| |
15.1 | 169 | {{code language="javascript" title=""}} |
| |
1.4 | 170 | foobar = { |
| 171 | foo = bar | ||
| 172 | some = input | ||
| 173 | } | ||
| 174 | {{/code}} | ||
| 175 | |||
| |
15.1 | 176 | ==== Section names ==== |
| |
1.4 | 177 | |
| |
15.1 | 178 | * {{litem title="[libdefaults]"}} Contains settings used by the Kerberos library v5.{{/litem}} |
| 179 | * {{litem title="[realms]~}~} Realm-specific settings and contact information.{{/litem~}~} | ||
| 180 | * {{litem title="}}A list of supported session key encryption methods that should be requested by the client when performing an AS (authentication server) request. The priority of each method is given by the order in which they have been specified, the first one being the method with the highest priority. Several methods can be separated with commas or spaces.{{/litem}} | ||
| 181 | * ~{~{litem title="default_tgs_enctypes}}A list of supported session key encryption methods that should be requested by the client when performing a TGS (ticket granting server) request. The priority of each method is given by the order in which they have been specified, the first one being the method with the highest priority. Several methods can be separated with commas or spaces.~{~{/litem}} | ||
| 182 | * {{litem title="permitted_enctypes"}}: A list of all allowed session key encryption methods.{{/litem}} | ||
| |
1.4 | 183 | |
| |
15.1 | 184 | A simple configuration for the //[libdefaults]// section might look as follows: |
| |
1.4 | 185 | |
| |
15.1 | 186 | {{code language="javascript" title=""}} |
| |
1.4 | 187 | [libdefaults] |
| 188 | default_realm = EXAMPLE.COM | ||
| |
15.1 | 189 | default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 |
| 190 | default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 | ||
| 191 | permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 | ||
| |
1.4 | 192 | {{/code}} |
| 193 | |||
| 194 | ===== [realms] ===== | ||
| 195 | |||
| |
15.1 | 196 | Each key in the //[realms]// section represents the name of a Kerberos realm. The value is a list of mappings, defining the properties of each realm. The following properties can be set: |
| |
1.4 | 197 | |
| |
15.1 | 198 | * kdc: The name or address of a server running a KDC (key distribution center) for this realm, usually the server with the active directory. When necessary, the port number can be specified by appending it separated by a column. |
| |
1.4 | 199 | |
| |
15.1 | 200 | A simple configuration for the //[realms]// section might look as follows: |
| |
1.4 | 201 | |
| |
15.1 | 202 | {{code language="javascript" title=""}} |
| |
1.4 | 203 | [realms] |
| 204 | EXAMPLE.COM = { | ||
| 205 | kdc = domain.example.com | ||
| 206 | } | ||
| 207 | {{/code}} | ||
| 208 | |||
| 209 | ===== [domain_realm] ===== | ||
| 210 | |||
| |
15.1 | 211 | The section //[domain_realm]// contains a mapping from domain names or host names to Kerberos realm names. The key can be a host or domain name, but domain names must be prefixed with a period. The value must be the name of a Kerberos realm for this host or domain. Host and domain names should be spelled with lower case letters. |
| |
1.4 | 212 | |
| |
15.1 | 213 | A simple configuration for the //[domain_realm]// section might look as follows: |
| |
1.4 | 214 | |
| |
15.1 | 215 | {{code language="javascript" title=""}} |
| |
1.4 | 216 | [domain_realm] |
| 217 | .example.com = EXAMPLE.COM | ||
| 218 | {{/code}} | ||
| 219 | |||
| |
15.1 | 220 | === File login.conf === |
| |
1.4 | 221 | |
| |
15.1 | 222 | The content of the file //login.conf//, which contains login-related settings such as the authentication method between clients and servers. |
| |
1.4 | 223 | |
| |
15.1 | 224 | A sample configuration might look as follows: |
| |
1.4 | 225 | |
| 226 | {{code language="java" title=""}} | ||
| 227 | spnego-client { | ||
| 228 | com.sun.security.auth.module.Krb5LoginModule required; | ||
| 229 | }; | ||
| 230 | |||
| 231 | spnego-server { | ||
| 232 | com.sun.security.auth.module.Krb5LoginModule required | ||
| 233 | refreshKrb5Config=true | ||
| 234 | storeKey=true | ||
| 235 | isInitiator=false; | ||
| 236 | }; | ||
| 237 | {{/code}} | ||
| 238 | |||
| |
15.1 | 239 | === Client module name === |
| |
1.4 | 240 | |
| |
15.1 | 241 | The name in the //login.conf// file for the client to be used, eg. {{code language="none"}}spnego-client{{/code}}. |
| |
1.4 | 242 | |
| |
15.1 | 243 | === Server module name === |
| |
1.4 | 244 | |
| |
15.1 | 245 | The name in the //login.conf// file for the server to be used, eg. {{code language="none"}}spnego-server{{/code}}. |
| |
1.4 | 246 | |
| |
2.1 | 247 | {{error}} |
| |
15.1 | 248 | When you keep getting a HTTP 400 error with Kerberos activated, the most likely cause is that the HTTP header size of the Kerberos ticket exceeds the default header size limit of the application server, eg. Tomcat of JBoss. See the help pages on [[changing the HTTP header size limit>>doc:Formcycle.SystemSettings.TomcatSettings.LimitHTTPHeader]]. |
| |
1.4 | 249 | {{/error}} |
| 250 | |||
| |
15.1 | 251 | == LDAP user search == |
| |
1.4 | 252 | |
| |
15.1 | 253 | The following settings are required to retrieve information about the authenticated user from an {{smallcaps}}Ldap{{/smallcaps}} (MS active directory). This data is then available in the form and can be accessed by JavaScript code. |
| |
1.4 | 254 | |
| |
15.1 | 255 | === Domain controller host === |
| |
1.4 | 256 | |
| |
15.1 | 257 | FQN (fully qualified name) and port of the active directory controller. |
| |
1.4 | 258 | |
| |
15.1 | 259 | Example: {{code language="none"}}domain.example.com Port: 389{{/code}} |
| |
1.4 | 260 | |
| |
15.1 | 261 | === SSL connection === |
| |
1.4 | 262 | |
| |
15.1 | 263 | When activated, all communications with the LDAP server will be encrypted with SSL. |
| |
1.4 | 264 | |
| |
15.1 | 265 | === Referral hops === |
| |
1.4 | 266 | |
| |
15.1 | 267 | The maximum number of referral hops that may be performed on the LDAP server. Setting this to {{code language="none"}}0{{/code}} deactivates referral hops and no references will be followed. |
| |
1.4 | 268 | |
| |
15.1 | 269 | === User account (with domain) === |
| |
1.4 | 270 | |
| |
15.1 | 271 | This account must have been granted permission to send search queries to the active directory. |
| 272 | |||
| |
1.4 | 273 | {{info}} |
| |
15.1 | 274 | This needs to be a username suffixed with the domain. |
| 275 | Example: {{code language="none"}}user@EXCAMPLE.COM{{/code}} | ||
| |
1.4 | 276 | {{/info}} |
| 277 | |||
| |
15.1 | 278 | === User account password === |
| |
1.4 | 279 | |
| |
15.1 | 280 | Password for the user account. |
| |
1.4 | 281 | |
| |
15.1 | 282 | === Base DN for user lookup === |
| |
1.4 | 283 | |
| |
15.1 | 284 | The LDAP baseDN used for looking up the authenticated user. |
| |
1.4 | 285 | |
| |
15.1 | 286 | Example: {{code language="none"}}ou="intern", dc="example", dc="com"{{/code}} |
| |
1.4 | 287 | |
| |
15.1 | 288 | == Make user data available to forms == |
| |
1.4 | 289 | |
| |
15.1 | 290 | The LDAP user data for the currently authenticated user are stored in the JavaScript object {{code language="none"}}window.XFC_METADATA.user.rawData{{/code}} and can be accessed via JavaScript. |
| 291 | |||
| |
1.4 | 292 | {{info}} |
| |
15.1 | 293 | Which data the JSON structure contains under the rawData property depends mainly on the read rights of the LDAP account, which executes the user search in the LDAP system. |
| |
1.4 | 294 | {{/info}} |
| 295 | |||
| |
15.1 | 296 | To access the property ~/~/userPrincipalName~/~/ of the user from JavaScript, use the following code: |
| |
1.4 | 297 | |
| |
8.13 | 298 | {{code language="javascript"}} |
| |
1.4 | 299 | try { |
| 300 | // Auslesen der Property und Anzeige in einem Label | ||
| 301 | var elem = $('[name=txt1]'); | ||
| |
8.13 | 302 | var ldap = XFC_METADATA.user.rawData; |
| |
1.4 | 303 | if(ldap.hasOwnProperty('userPrincipalName')) { |
| |
8.13 | 304 | elem.html(ldap.userPrincipalName); |
| |
1.4 | 305 | } |
| 306 | } catch (err) {} | ||
| 307 | {{/code}} |