Windows Cross Domain SSO
Hello, If two domains are in a trust relationship, you can configure a product to authenticate NTLMv2 tokens against one and it'll handle tokens from the second domain. Unfortunately, AtriumSSO is the OpenSSO/AM product with a BMC badge and has no Integrated Windows Authentication module, and to make just Kerberos work is not only difficult, but often unreliable. Some chap from BMC made a video on how to configure AtriumSSO with Kerberos and admitted himself that it's not reliable. I believe the video is on BMC DN somewhere. This topic is difficult because few companies have tried very hard to build a Java IWA adapter: large specialist SSO companies such as Ping still supply bits of one, and Quest's old Kerberos+NTLMv1 (note, not secure) adpater is still being flogged (although I heard they may have an NTLMv2 component at some point). And even when both Kerberos+NTLMv2 are glued together, there are lots of edge cases (Negotiate Extensions, NTLM wrapped in SPNEGO tokens [that most people think is a Kerberos token; it's not], NTLM tokens without domain names - or even curiously, bits of an SPN that puzzle even me. Typically, people can get most users working with a non-IWA solution but will find a aubset of users can't authenticate correctly, particularly those connecting from VPN solutions, and hence support becomes a headache (plus it's embarrassing for the person who implemented/paid for it). The most common non-Java route is to put an IIS Instance in front of Tomcat, but this means the SSO token is being decoded at IIS and not in the web application, which many penetration testing/security related outfits would not admire. I know of at least one BMC Elite Partner knocking out this solution to unsuspecting customers who end up paying a lot of money for a dirty solution. JSS felt a lot of pain some years ago when we tried the Kerberos only route, and quickly realised we needed to invest heavily in a reliable IWA adapter. It's in use by many of BMC's largest clients today, and has quickly begun to gain traction in entirely different markets: most recently, an adapter for the Jive Software solution that powers BMC DN. Adding to all of this, there's a lot more to quality SSO solution than making iWA work with the BMC product set: What happens if two users deaster exists in domains A and B, one with deaster and the other as deaster2 as AR System Login Names? What about the different user repositories in each BMC product - do you want to manage each separately? Users without accounts in ITSM, etc, etc. AREA LDAP is of course plain old LDAP and not in scope. John -- SSO Plugin for BMC ITSM, and more. http://www.javasystemsolutions.com/jss/ssoplugin ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Windows Cross Domain SSO
Suppose I have a setup where all ARS users reside in domain A and AR Installation (mid-tier, AR Server and Db) are in domain B. In order to achieve SSO (Integrated Windows Authentication) for users in domain A against mid-tier in domain B what are the pre-requisites in terms of domain trusts? ~Nathan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Windows Cross Domain SSO
The way you worded this reminds me entirely too much of the old MCSE exams. :) In actuality, you don't really need to do anything. You can configure AREA to authenticate from any given AD server, it does not need to reside in your domain. Thanks, Steve On Tue, Mar 5, 2013 at 6:58 PM, Nathan Brandt nathanrbra...@gmail.comwrote: ** Suppose I have a setup where all ARS users reside in domain A and AR Installation (mid-tier, AR Server and Db) are in domain B. In order to achieve SSO (Integrated Windows Authentication) for users in domain A against mid-tier in domain B what are the pre-requisites in terms of domain trusts? ~Nathan _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Windows Cross Domain SSO
Steve, It is not only about authentication. For Windows Desktop SSO to work, Kerberos/NTLM tokens have to be passed around. My question is more related to that. You are right about authentication, I can just specify one or more AD servers in domain A (if it is a forest) in AREA configuration and authentication would work fine. ~Nathan On Wed, Mar 6, 2013 at 8:33 AM, Steve Kallestad st...@tabtonic.com wrote: ** The way you worded this reminds me entirely too much of the old MCSE exams. :) In actuality, you don't really need to do anything. You can configure AREA to authenticate from any given AD server, it does not need to reside in your domain. Thanks, Steve On Tue, Mar 5, 2013 at 6:58 PM, Nathan Brandt nathanrbra...@gmail.comwrote: ** Suppose I have a setup where all ARS users reside in domain A and AR Installation (mid-tier, AR Server and Db) are in domain B. In order to achieve SSO (Integrated Windows Authentication) for users in domain A against mid-tier in domain B what are the pre-requisites in terms of domain trusts? ~Nathan _ARSlist: Where the Answers Are and have been for 20 years_ _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Windows Cross Domain SSO
I am basically looking for answers to the questions asked here http://stackoverflow.com/questions/13746669/spnego-cross-domain-configuration I am planning to use Atrium SSO 8.0 with ARS 8.0 setup to get this working. ~Nathan On Wed, Mar 6, 2013 at 8:41 AM, Nathan Brandt nathanrbra...@gmail.comwrote: Steve, It is not only about authentication. For Windows Desktop SSO to work, Kerberos/NTLM tokens have to be passed around. My question is more related to that. You are right about authentication, I can just specify one or more AD servers in domain A (if it is a forest) in AREA configuration and authentication would work fine. ~Nathan On Wed, Mar 6, 2013 at 8:33 AM, Steve Kallestad st...@tabtonic.comwrote: ** The way you worded this reminds me entirely too much of the old MCSE exams. :) In actuality, you don't really need to do anything. You can configure AREA to authenticate from any given AD server, it does not need to reside in your domain. Thanks, Steve On Tue, Mar 5, 2013 at 6:58 PM, Nathan Brandt nathanrbra...@gmail.comwrote: ** Suppose I have a setup where all ARS users reside in domain A and AR Installation (mid-tier, AR Server and Db) are in domain B. In order to achieve SSO (Integrated Windows Authentication) for users in domain A against mid-tier in domain B what are the pre-requisites in terms of domain trusts? ~Nathan _ARSlist: Where the Answers Are and have been for 20 years_ _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years