HTTP/SPNEGO for "SSO" on MS Windows

HTTP/SPNEGO for "SSO" on MS Windows
Hi all of you !
The scene is simple : I got a software (All in plain java ) and some simple web access to this system. ( it's not a real web server wich will be in need for Apache or some big container it's just a few access to some informations of the software )
The client company is all MS Windows, and it's used to some SSO approach,
they got a AD server on Win2003, all laptops are under winXP Pro and got IE at least version 6
Now The question is this ;
I got
-a guy (properly authentified) who is
- using IE (properly setted)
- on a computer (properly attached to AD)
to access a ressource URL of my app
It's quite simple to send him a http 401 or 407 so IE go back to the AD server and get its token
BUT how can I manage in java to extract the account used by the client
from the SPENEGO token ? this is all I need
I cant find any help on this, So please if someone can help me in this...
I'm lost ... Thanks in adavnce for a simple hint or a url linking me on the good path

I forget :
Ok for the configuration, thanks to some of your posts (thanks all)
I know all the importants steps to be followed
For exemple I quote danielshrem last post on the thread http://forum.java.sun.com/thread.jspa?forumID=545&threadID=760214
<quote>
Hey Seema,
Indeed my server's principal was not the correct one, now everything is cool with rc4 encryption.
for all u dudes out there in need of Java HTTP kerberos auth here's a few simple configuration procedures:
1. on the Domain Controller add an HTTP SPN to the account running the web service (use setspn.exe). the SPN has to be in format HTTP/host@Realm or HTTP/host (this SPN worked for me). if u dont know exactly which SPN u need u can sniff an HTTP session on ethereal look for Kerberos AP Req-->ticket-->Server Name. from what i gather this is the principal the clients use.
2. on the DC add a mapping to the newly created SPN (use ktpass.exe)
3. on the host running the service create a keytab file containing the newly created HTTP principal (use java's ktab.exe)
4. make sure the SPN is set up OK by running kinit and pass the newly created keytab file and the newly created SPN.
once u recieve an ok result you are good to go (login and authenticate users)
hope this helps
Daniel.
</quote>
My problem (I know it must sounds stupid) : how do I extract the login account from this ?

Similar Messages

  • WL v8.1 sp4 (SPNEGO for SSO)

    Hi,
    I would like to check can the latest SSO feature (using Single Pass Identity Assertion) for sp4 works out of the box (with the necessary required server configurations of course) for UNIX installations? Any dependencies that the WLS or some components must run on Windows? Thank you very much.
    Cheers,
    Damon :-)

    Hello ,
    Do also have a look at this
    http://e-docs.bea.com/wls/docs81/secintro/archtect.html#1066333
    Kuldeep

  • How to Set UserId in Http Header for SSO?

    Hello All,
    I have a requirement to set the userid into the HTTP Header so that i can use the "Header Variables for User Authentication" module provided by SAP to achieve the SSO .
    Could some 1 let me know how can I achieve this? I know abt the HTTPServlet.setheader() method, But i need to set it using my JAVA application. Is there any way to set the HTTP Header using Java. I have already done a lot of googling, but havent got any results.
    I am sure that, there must definitely be a way in which we can add the user id into the HTTP header, in all the results, they tell abt adding it using the HTTP Servlet or PHP and so on, but i need to add it from JAVA.(setting REMOTE_USER as "mysapuserid")
    I have already added the "HeaderVariableLoginModule" in my login stack in the 2nd position, as per
    http://help.sap.com/saphelp_nw04/helpdata/en/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
    Any pointers will be helpful,
    Meghana
    Edited by: Meghana Phadke on Apr 14, 2008 2:49 PM

    Hi
    As I understand, your java application is an EP client, check framework HttpClient :
    http://hc.apache.org/httpclient-3.x/
    http://hc.apache.org/httpclient-3.x/tutorial.html
    Hope this help
    Jakub Krecicki

  • HTTP Server for Windows 64 bit not on the companion CD

    Hi,
    I cannot find the HTTP Server for Windows 64 bit on the companion CD. Any idea where I can get it from? For the 32bit version the HTTP Server is on the Companion CD.
    Thanks in advance,
    Florin

    If i am correct reason should be : Oracle Application Server 10g will run as a 32-bit application
    Following platforms have the same media in either case:
    Microsoft Windows 32-bit and EM64T/AMD64
    (Not Itanium-64, which is separate and referred to as "Windows 64-bit")
    Linux x86 and Linux x86-64
    Solaris Sparc 32-bit and Solaris Sparc 64-bit
    As the Oracle Application Server 10g will be run as a 32-bit application. See the Installation Guide or readme files for any specific steps on these 64-bit platforms.
    Refer the Note.433061.1 - How to Obtain Application Server 10g Media, Patchsets, and Patches

  • SPNego for multi-forest using IBM JDK

    Hi All,
    I need to setup SPNego authentication for EP7 and IBM JDK for a multi-forest landscape (2 Active directory domains).  There's a guide about how to do this for Sun JDK : https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/c771c3d3-0c01-0010-b5b6-86755a2cf778 but I need one for IBM JDK as the login stack mudules are different.
    Can anyone supply me with a guide or any helpful information regarding this ?  Do you know if it works?  I've currently got SPNego working for a single domain.
    Thanks in Advance,
    Anthony

    Jan,
    ok, thanks. I will now explain how I think we can help.
    Firstly, to be sure you understand - I represent a SAP partner company known as CyberSafe, and we have a product which uses SPNEGO for Kerberos authentication in a browser environment, so my answer relates mainly to our product functionality, and not related to the SAP login module, which has less functionality.
    I must also apologise in case anybody reading this thread has an issue with me discussing non-SAP software. My view is that the most important thing on this forum is to help you (the SAP customer) get a solution that meets your needs, and if this involves SAP Partner products as well as SAP products, then that is acceptable.
    Firstly, our product does not use the Java implementation of Kerberos. Instead, we use a JNI (Java Native Interface) so that our host based Kerberos library can be used to implement the protocol. This means that any differences between IBM, SUN or any other vendor JDK version related to Kerberos functionality, multi-domain support etc. are not relavent to our product. We support many things in our product which are not supported in Java implementations of Kerberos, so you don't need to wait for new versions of JDK to take advantage.
    Secondly, and perhaps more relavent to this discussion is that our login module authenticates the user by decrypting the service ticket received using the key in the Key Table File on the host, and then we map this principal name onto a SAP user id. We then (via. the login module stack) cause the SAP system to issue an SSO2 logon ticket for this user id. The secret is the way we perform the mapping - we are not dependant on UME datasources for this, and I will describe below how we acheive mapping by using an example :
    Lets suppose a user is authenticated as user.name@DOMAIN1, the SAP system login module has been setup using domain 2 (Realm = DOMAIN2) and trusted via a key in a key table file, with principal name of HTTP/hostname@DOMAIN2. Then, using normal Kerberos cross realm trust, and cross realm TGTs the browser requests a ticket from AD for HTTP/hostname@DOMAIN2, and this is issued by AD in domain 2 using the cross realm TGT, but the principal name of the authenticated user inside this service ticket is user.name@DOMAIN1. The login module on the SAP server can decrypt the ticket it receives to find the users Kerberos principal name.
    So, the login module knows the user is user.name@DOMAIN1, it then has to decide how to determine the SAP user id. Our login module currently supports two different methods of performing this mapping, but we are adding more methods in each release to make the product even more flexible. Currently we support the following methods :
    1. Simple mapping - this is where we remove the realm name and convert the principal name to upper case, so in this example user.name@DOMAIN1 would be mapped to a SAP userid of USER.NAME and used to issue an SSO2 ticket. Clearly this is only suitable for single domains, and makes administration very easy - many of our customers use this method, but you would need a different mapping method due to yoru multiple domains.
    2. USRACL mapping - Since we also sell an SNC product for SAP GUI SSO, our customers already maintain mapping of Kerberos principal name to SAP user id using a table in ABAP engine called USRACL. This table is maintained using SU01 transaction. We now have support in our login module to read the USRACL table using the authenticated Kerberos principal name of the user (e.g. user.name@DOMAIN1) and find the required SAP user id, so that an SSO2 logon ticket can be issued.
    I hope this helps you understand. If you are interested in more detail about our product, and how we might be able to help you, please feel free to contact me offline instead of via this forum.
    Thanks,
    Tim

  • HTTP/SPNEGO Authentication

    Hi,
    Having read in posting [http://forums.sun.com/thread.jspa?threadID=5362388&tstart=15|http://forums.sun.com/thread.jspa?threadID=5362388&tstart=15] that "Sun's GSSAPI implementation (a.k.a. JGSS) can only generate and consume raw Kerberos tokens and SPNEGO tokens containing Kerberos tokens" I' still wondering why the getPasswordAuthentication() in class MyAuthenticator of Sun's [HTTP/SPNEGO example (2nd case)|http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/part6.html#Example] is not called upon starting the client without giving any arguments, i.e.
    java RunHttpSpnego http://www.ad.local/hello/hello.htmlFrom the server the client receives a
    WWW-Authenticate: Negotiateresponse, and the client should enter the HTTP/SPNEGO challenge/response protocol.
    To summarize, class MyAuthenticator looks like:
    class MyAuthenticator extends Authenticator {
            public PasswordAuthentication getPasswordAuthentication() {
                // I haven't checked getRequestingScheme() here, since for NTLM
                // and Negotiate, the usrname and password are all the same.
                System.err.println("Feeding username and password for "
                   + getRequestingScheme());
                return (new PasswordAuthentication(kuser, kpass.toCharArray()));
        }It should be called as a side effect of openConnection() upon executing the following code:
    Authenticator.setDefault(new MyAuthenticator());
    URL url = new URL(args[0]);
    InputStream ins = url.openConnection().getInputStream();
    ...My client environment is Windows Vista, Java 1.6.0_16, and the client is not a member of an Active Directory.

    Perhaps the issue is with this quote:
    "Sun's GSSAPI implementation (a.k.a. JGSS) can only generate and consume raw Kerberos tokens and SPNEGO tokens containing Kerberos tokens"
    I believe the HttpURLConnection class in JDK 1.6 can handle NTLM.
    Meaning, if you logon to your workstation as a domain user and run the java code, it is probably using NTLM.
    I recall noticing this when I put TCPMon between the workstation and the server.

  • How do I disable "Exceptions" button for "Block pop-up windows" in Content tab?. I am able to Disable other Exception buttons in this tab using about:config preference.

    Need a way to disable "Exception" button for "Block Pop-up windows" in Tools-> Options -> Content tab. I want to be able to do this for Locking Down Firefox preferences.
    == User Agent ==
    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

    That button doesn't have a pref associated with it, so you can't disable that button with a pref on the about:config page or a lockPref call.
    That only leaves the choice to remove that button with code in userChrome.css
    <pre><nowiki>#popupPolicyButton {display:none!important;}</nowiki></pre>
    See http://kb.mozillazine.org/Editing_configuration#How_to_edit_configuration_files

  • HT1426 How do I find the iTunes64.msi file for my iTunes on Windows 7?

    iTunes64.msi is missing and I can't update or uninstall my iTunes without that file.  Is there any way to either download it or find it?  This is the message that pops up when I try looking for it.

    Download the Windows Installer CleanUp utility from the following page (use one of the links under the "DOWNLOAD LOCATIONS" thingy on the Major Geeks page):
    http://majorgeeks.com/download.php?det=4459
    To install the utility, doubleclick the msicuu2.exe file you downloaded.
    Now run the utility ("Start > All Programs > Windows Install Clean Up"). In the list of programs that appears in CleanUp, select any iTunes entries and click "Remove", as per the following screenshot:
    Quit out of CleanUp, restart the PC and try another iTunes install. Does it go through properly this time?

  • My hard-drive crashed, I own lightroom 5, where can I download it again t re install it. The ADOBE email I had has links that no longer work (thanks for that). Running Windows 7 Home Premium

    My hard-drive crashed, I own Lightroom 5, where can I download it again t re install it. The ADOBE email I had has links that no longer work (thanks for that). Running Windows 7 Home Premium

    Hello Andrea,
    did you try this: http://www.adobe.com/cfusion/tdrc/index.cfm?product=photoshop_lightroom&promoid&promoid=DT EML
    What concerns your eMail you should talk to Adobe, please have a look there: http://helpx.adobe.com/de/contact.html  by clicking throug their questions and if "open" please use chat, I had the best experiences.
    Hans-Günter

  • HT204406 Please help!  I have downloaded the 64 bit version of iTunes for my Sony running WIndows 8.  I have iTunes running on 3 other machines (MACs) with no issue.  On the Sony with WIndowns everytime I turn on ITunes Match WIndows fails, everything shu

    I Have downloaded the 64 bit version of iTunes for my Sony running Windows 8.  Install went fine and I can get in to iTunes and see the music residing on this machine.  However, everytime that I try to run iTunes Match Windows crashes.  So frustrating.  BTW, this worked fine until a couple of weeks ago.  Anyone know what's going on?

    How big is your library?  I would recommend the following troubleshooting steps:
    - Backup your library.  Always a good idea before messing with things.  
    - Create a new library.   Refer to this article for details:  http://support.apple.com/kb/HT1589.  This won't delete your old library, you're just creating a new empty one.  Also refer to this article to get back to your old library later.
    - Add a few albums into this new library.  Not everything, just a small sampling, as a test.
    - Activate Match on this new library.  You shouldn't have to re-pay, it should just say "Add Computer" or similar.
    - At this point, Match should run again. With just a few albums it should complete in just a few minutes.
    If iTunes doesn't crash at this point, then likely there's something about your original library that Match doesn't like - what that is I don't know, but at least you'll know it's not your PC.   If iTunes still crashes, then if could be a number of other things, but probably not your library.   My next suggestion (if you haven't already done this) is to uninstall / reinstall iTunes.   If that doesn't work, then my next ideas you won't like.   

  • Unable to install itunes for new computer with windows 8

    unable to install itunes for new computer with windows 8
    states this app unable to run on this PC

    Hello jgrn76,
    It sounds like you are getting an error stating that the iTunes installer cannot be run on your computer. I would try downloading the 64 bit version of iTunes from here:
    iTunes 11.1.3 for Windows (64-bit)
    http://support.apple.com/kb/DL1615
    If issues persist when trying to install it, I would try running through the steps in the article named:
    Issues installing iTunes or QuickTime for Windows
    http://support.apple.com/kb/ht1926
    Otherwise, would you mind elaborating a bit on what the error message says, word for word?
    Thank you for using Apple Support Communities.
    Regards,
    Sterling

  • Preparation for installing bootcamp and windows 7, and in the absence of a DVD drive

    I am not sure that I submitted this with the right boxes ticked, so i am re submitting it!
    In preparation for installing bootcamp and windows 7, and in the absence of a DVD drive on my MacBook Air, before starting, can I partition my external drive (for use with my Mac) to have an ISO image file location for Windows downloads? 
    Cyfromayo

    The Boot Camp instructions are located here: http://www.apple.com/support/bootcamp/
    The Boot Camp Discussion Community is located here: https://discussions.apple.com/community/windows_software/boot_camp

  • How to Force enable, silent updates for Adobe flash in windows 8

    How to Force enable updates, silently for Adobe flash in windows 8 using group policy?
    I have followed this Article:
    http://helpx.adobe.com/flash-player/kb/administration-configure-auto-update-notification.h tml
    http://gpyall.com/archives/disable-adobe-flash-updates-on-64-bit-windows-with-group-policy /
    This looks promising but not working.
    Also, I cannot even manually create a file, in Win 8  (C:\Windows\SysWOW64\Macromed\Flash)
    So how would group policy can put mms.cfg in this location with following vaule:
    AutoUpdateDisable=0
    SilentAutoUpdateEnable=1
    Thanks in Advance.

    You will find more information in http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/flashplayer/pdfs/flas h_player_11_7_admin_guide.pdf

  • Turbo boost problem for DV6-2170ee with Windows 7 Proffessional SP1 32 bit

    hello every body,
    For:-
    HP DV6-2170ee with I7 720 qm processor
    System: Windows 7 Professional SP1 32 bit
    I have a strange problem, while i am working on battery processor can boost up to 2.6 but when i connect it to the Ac adpater charger, no boost is there?!!!!
    Checked through internet and did the following:-
    1-update the bios.
    2-check power option and use the same settings as in battery mode.
    3-observe processor temperature through CPUID HWmonitor, it's almost 65 lower than 67 in the battery case.
    4-searched allover the whole internet google .. yahooo ...
    5-Each time i try to install the SP50038 which is the driver for the inter turbo boost, it gives an error message "your pc doesn't meet the minimum requirement"
    TIll the moment no solution, could you please help me ?
    Thank you for your time ans i hope to receive solutions soon ..
    Thanks in advance ;-)
    This question was solved.
    View Solution.

    Hi,
    To answer your last question first, the Turbo Boost Technology Driver is only intended for processors with an integrated GPU - the i7-720QM does not have this.
    More difficult is why you observe no Turbo Boost on AC Power.
    Try the following.
    Shut down the notebook.  Tap away at f10 as soon as you start the notebook to enter the bios menu.  Press f5 to load the defaults ( this is sometimes f9, but the menu at the bottom will show the correct key ), use the arrow keys to select 'Yes' and hit enter.  Press f10 to save the setting and again use the arrow keys to select 'Yes' and hit enter.
    When windows has reloaded, download and install the Turbo Boost Technology Monitor from Intel on the following link and see what this shows.
    http://www.intel.com/support/processors/sb/CS-031038.htm?
    Regards,
    DP-K
    ****Click the White thumb to say thanks****
    ****Please mark Accept As Solution if it solves your problem****
    ****I don't work for HP****
    Microsoft MVP - Windows Experience

  • How to set mozilla firefox homepage for all users in windows 7?

    I want to set same homepage for all users in windows 7.

    You can use a mozilla.cfg file in the Firefox program folder to lock prefs or specify new (default) values.
    Place a local-settings.js file in the defaults\pref folder where also the channel-prefs.js file is located to specify using mozilla.cfg.
    pref("general.config.filename", "mozilla.cfg");
    These functions can be used in the mozilla.cfg file:
    defaultPref(); // set new default value
    pref(); // set pref, but allow changes in current session
    lockPref(); // lock pref, disallow changes
    See:
    *http://kb.mozillazine.org/Locking_preferences
    *http://mike.kaply.com/2012/03/16/customizing-firefox-autoconfig-files/

Maybe you are looking for