5 Replies Latest reply on Feb 27, 2015 9:09 AM by jareeq

    Glassfish - Windows Authentication SSO ?

    Paavo

      @VANJ wrote excellent article Windows Integrated Authentication - HOWTO  and I would like to know if anyone have succeeded with it in Glassfish setup.

       

       

      rgrds Paavo

        • 1. Re: Glassfish - Windows Authentication SSO ?
          jareeq

          It works, my config was don before this HOWTO showed up (about 2 years ago and it is on glassfish), but this aggregate some older data.

          Two things i believe are worth to say. First - on production env I always disable autodeploy. Second - jaas steps was irrelevant for me.

           

          Currently we try to resign from spengo and move to ntlmv2(comercial) because one of disadvantages of spengois 401 for every request.

          • 2. Re: Glassfish - Windows Authentication SSO ?
            Paavo

            jareeq wrote:

             

            It works, my config was don before this HOWTO showed up (about 2 years ago and it is on glassfish), but this aggregate some older data.

            Two things i believe are worth to say. First - on production env I always disable autodeploy. Second - jaas steps was irrelevant for me.

             

            Currently we try to resign from spengo and move to ntlmv2(comercial) because one of disadvantages of spengois 401 for every request.

            Hi, good to know.

             

            What happens when you get 401 for every request ?

            Does it work at all?

             

            Rgrds Paavo

            • 3. Re: Glassfish - Windows Authentication SSO ?
              jareeq

              You probably know that spengo is not one - step first response from server is always 401 more info about it here Kerberos/SPNEGO in a heterogeneous environment, avoiding 401?

              So, you always ask twice for same data, authenticating all requests gives some overheat. If you can live with this - spengo is best solution, if you want reduce this - you need something different.

              All modern browsers can handle 401 response with WWW-Authenticate - you really not see what browser do in background.

               

              P.S. Also used this solution: Integrated Windows Authentication in Java with Kerberos SPNEGO it has fall back to basic mechanism and you can restrict it only to ssl connections to protect password.

              1 person found this helpful
              • 4. Re: Glassfish - Windows Authentication SSO ?
                Paavo

                Ok, must confess that I have no experience on the way Kerberos works and especially in heterogenous win AD + linux-glassfish- some sso enabling free or commercial solution.

                 

                I start to understand still that the browsers authenticate themselves in background and some browsers can do it in less steps than others.

                So in your experience how much overheating this causes and in which 'servers' in the setup?

                Is there danger that we generate lots of unnecessary requests to AD in-vain in the background?

                 

                You mentioned that you have decided to switch to some commercial solution with less problems?

                Can you use that in your existing glassfish-setup or do you need new environment?

                 

                Rgrds Paavo

                • 5. Re: Glassfish - Windows Authentication SSO ?
                  jareeq

                  It is generally the same glassfish, tomcat,  weblogic - devil is in details I'm not an expert in this too, my experience base on 3 successful configurations :-)

                  I believe steps of authentication are the same in all browsers firefox gives more detail in debug mode than IE or chrome.

                  Some browsers can authenticate user in domain out of the box (IE), others like firefox need some tunning steps if you want do it smooth.

                   

                  Sorry I was not precise writing about overheat and mixing it with authentication - in fact reading this How To Configure Browser-based SSO with Kerberos/SPNEGO and Oracle WebLogic Server there is some additional traffic to AD generated by browser but we never considered this as an issue (our admins too).

                  What I really talking about was we have about 200 users daily on several apex apps, request with test ntlm takes 600KB, 0,6 s and 18 requests; request with spengo authentication takes 729 KB and 0,8s and 26 requests, caching and gzip enabled in both cases - so there is place for optimization.

                   

                  What we test is Jespa - Java Active Directory Integration, there is jar file and filter configuration we can use this on current set with minimal changes but in fact we have running separate test environment cloned from production.

                   

                  Cheers

                  1 person found this helpful