Unison-LastMile-Kerberos
This filter provides a LastMile implementation using Kerberos' S4U2Self and S4U2Proxy extensions to allow for SSO into any Kerberos enabled application.
Prerequisites
Before deploying this filter, you will need to:
- Create a service account and keytab (see the process below for either IPA or Active Directory)
- Make sure that Unison is running on Java 8 (NOT Java 1.7)
- Make sure the box running Unison is a member of the domain (varies based on if IPA or Active Directory is being used)
Configuration Options
The below configuraiton options are all required:
- uidAttributeName - The name of the attribute from the logged in user that corresponds to the user login id (uid in IPA or samAccountName in Active Directory)
- targetServicePrincipal - The full kerberos principal that will consume the service granting ticket (ie HTTP/myhos.mydomain.com@MYDOMAIN.COM)
- keytabPath - The full path to the keytab file on the unison server (ie /usr/local/tremolo/tremolo-service/ext-lib/mykeytab.kt)
- keytabPrincipal - The full kerberos principal provided by the keytab file (ie HTTP/unison.mydomain.com@MYDOMAIN.COM)
Build
The project is built using Maven. Make sure that the JDK being used by Maven is Java 8 or above.
Deploy
- After building, deploy
target/unison-lastmile-kerberos-1.0.7.jarto your Unison server's classpath - Join the Unison server to the domain, making sure the /etc/krb5.conf is properly configured
- Make sure that Unison is using the same DNS servers as the domain
- Add the
com.tremolosecurity.unison.proxy.lastmile.kerberos.KerberosLastMilefilter in front of your application with the above configuration information
No additional libraries are required.
Generating a Service Account and KeyTab
In order to create the trust between Unison and your application you must tell your Kerberos environment to trust tickets generated by Unison. In the instructions below, the following are used:
- Unison SPN - The Service Principal Name used by Unison when communicating with the KDC
- Application SPN - The Service Principal Name that will be used for the application
FreeIPA / Red Hat Identity Management
- Create the Unison SPN:
$ ipa service-add HTTP/unison.host.domain@DOMAIN --ok-as-delegate=true
- Create the Application SPN
$ ipa service-add HTTP/application.host.domain@DOMAIN --ok-as-delegate=true
- Add the following to 389 to allow the Unison SPN to delegate to the Application SPN
dn: cn=app-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=rhelent,dc=lan
objectClass: groupOfPrincipals
objectClass: top
cn: app-http-delegation-targets
memberPrincipal: HTTP/app.host.domain@DOMAIN
dn: cn=unison-http-delegation,cn=s4u2proxy,cn=etc,dc=rhelent,dc=lan
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
cn: unison-http-delegation
memberPrincipal: HTTP/unison.home.domain@DOMAIN
ipaAllowedTarget: cn=app-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=rhelent,dc=lan
- Create a keytab for the Unison SPN
$ ipa-getkeytab -s app.host.domain -p HTTP/unison.host.domain@DOMAIN -k unison-s4u.keytab
Once the keytab is created, copy it to the Unison servers and use its path in the configuration
-
On the Unison server, change
forwardable = yestoforwardable = true(The krb5.conf rfc specifies true/false but MIT kerberos allows yes/no) -
Finally, allow the Unison SPN to get S4U2Self tickets
$ kadmin.local
.
.
.
kadmin.local: modprinc +ok_to_auth_as_delegate HTTP/unison.host.domain
Active Directory
Special Thanks
Special thanks to @ymartin59 for posting the demo this code was built on and @michael-o for pointing me to it and providing great feedback.