John, I have often wanted to ask you this question 'What is it that the BMC Provided SSO doesn't offer that your solution does'
I don't want this to be a marketing sales pitch for your product by any means, but you consistently balk at the community sso solution, and allude to its vulnerabilities, but you and I have never sat down (in private, or in a public forum such as this) and discussed what some of those vulnerabilities are and what problems they can cause. At a previous job I implemented SSO using the community example. I utilized Tomcat on Solaris, and because of that I couldn't use IIS passthrough of the credentials, so I ended up using SPNEGO ( http://spnego.sourceforge.net/) to provide Kerberos authentication to Tomcat and even though it was relatively complicated to setup, once setup it was pretty solid with very few issues. At my current job there is a modified version of the same community plugin in place that is using the IIS passthrough and works just as well. Earlier today I was told about a tool named 'Waffle' ( https://github.com/dblock/waffle) which seems to be similar to SPNEGO that I used previously, but a bit more flexible and if I was still at my old job, I might consider utilizing it. Now, my understanding regarding one of your complaints about the community SSO is that it uses request responses and the 'getRemoteUser' function to provide the user ID to the plugin, which is then passed between the web server and the app server for authentication. Why is that a vulnerability? I look forward to your response. On Thu, May 30, 2013 at 10:39 AM, John Baker <jba...@javasystemsolutions.com > wrote: > Sandra, > > What you need to achieve is Integrated Windows Authentication. What BMC > are proposing is deploying part of the protocol, so you're bound to find > instances where it doesn't work. Microsoft have tried going "Kerberos > only" and couldn't make it work; there's some documentation on their > website suggesting an "Impact assessment" is carried out before moving > to Kerberos only. > > In any corporate network, you need > Kerberos+NTLMv2+NegotiateExtensions+etc. There's a video on the BMC > communities forum recorded by a BMC AtriumSSO engineer stating that "it > will work 80% of the time" - a glowing endorsement :-) > > The problem faced by BMC is the OpenSSO/AM product that has been > re-badged to AtriumSSO does not provide IWA, so you don't get it for > free. > > > John > -- > JSS SSO Plugin for BMC ITSM, ITBM, Analytics, Kinetic, and more. > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > "Where the Answers Are, and have been for 20 years" > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
