Single sign-on - FORMCYCLE Wiki

author	version	line-number	content
1	//Single sign-on// for {{smallcaps}}Ntlm{{/smallcaps}} and Kerberos is a {{formcycle/}} license module which is subject to additional costs.
2
3	{{content/}}
4
5	{{figure image="single_sign_on_ntlm_en.png" width="600"}}
6	User interface for setting up {{smallcaps}}Ldap{{/smallcaps}} authentication via {{smallcaps}}Ntlm{{/smallcaps}}. Available only if the license allows it.
7	{{/figure}}
8
9	{{smallcaps}}Ntlm{{/smallcaps}} (NT LAN Manager) can be used to authenticate users of a form.
10
11	A common use case are forms used internally by some company, and that may be accessed only by the employees of that company. The user data of the active directory can be accessed via {{smallcaps}}Ntlm{{/smallcaps}}.
12
13	{{info}}
14	{{smallcaps}}Ntlm{{/smallcaps}} may not be available depending on your license.
15	{{/info}}
16
17	== Using NTLM ==
18
19	Activate this option to use {{smallcaps}}Ntlm{{/smallcaps}}.
20
21	=== Synchronize with {{fserver/}} ===
22
23	Activate this option to transmit the current configuration to all connected and available {{fserver number="plural"/}} when saving these settings.
24
25	=== Domain controller host ===
26
27	The host (FQN) of the active directory controller used for authenticating users via {{smallcaps}}Ntlm{{/smallcaps}} and transmitting their data over {{smallcaps}}Ldap{{/smallcaps}}.
28
29	{{code language="none"}}
30	Example: domain.example.com
31	{{/code}}
32
33	Connection to the {{smallcaps}}Ldap{{/smallcaps}} server for the {{smallcaps}}Ldap{{/smallcaps}} search account has been established successfully
34
35	== NTLM authentication ==
36
37	The following settings are required for enabling users to authenticate via {{smallcaps}}Ntlm{{/smallcaps}}.
38
39	=== Host name of the domain controller host ===
40
41	The host name of the active directory controller.
42
43	{{code language="none"}}
44	Example: domain
45	{{/code}}
46
47	=== Windows domain name ===
48
49	Different forms of the domain name can be used depending on the active directory.
50
51	{{code language="none"}}
52	Example: example.de oder example0
53	{{/code}}
54
55	{{info}}
56	Here you must specify the domain name to which the user accounts to be authenticated belong.
57	This domain name may be different from the domain of the computer account (This is the computer's NetBIOS name, not the DNS / FQDN name).
58
59	The Windows domain name to be used can be determined, for example, by opening a Windows console (//Start / Run / cmd//) on a client logged into the domain and entering the following command:
60	echo %userdomain%
61	{{/info}}
62
63	=== Computer account ===
64
65	The computer account must have been granted permission to perform user verification. It must not be a regular user account.
66
67	{{info}}
68	A computer account is recognizable by the '$' character in the domain name. e.g. example$@domain.de
69	{{/info}}
70
71	Help pages of ca technologies on [[creating a computer account for NTLM authentication on active directory server.>>https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-3/policy-assertions/assertion-palette/access-control-assertions/require-ntlm-authentication-credentials-assertion/creating-a-computer-account-for-ntlm-authentication.html\|\|rel="__blank" title="Creating a Computer Account for NTLM Authentication"]]
72
73	=== computer account password ===
74
75	Password of the computer account.
76
77	== LDAP user lookup ==
78
79	The following settings concern the user lookup after a successful {{smallcaps}}Ntlm{{/smallcaps}} authenication.
80
81	=== Port ===
82
83	The port for connecting to the {{smallcaps}}Ldap{{/smallcaps}} server for the user lookup.
84
85	=== SSL encryption ===
86
87	Enables SSL encryption when communicating the the {{smallcaps}}Ldap{{/smallcaps}} server.
88
89	=== Hop count ===
90
91	The number of hop counts or referrals. Setting this to 0 disables following references.
92
93	=== User account (with domain) ===
94
95	Account to be used for looking up users. It must have been granted permission to perform user lookup.
96
97	{{code language="none"}}
98	Example: ldap@example.de
99	{{/code}}
100
101	=== User account password ===
102
103	Password of the user account.
104
105	=== Base DN für user lookup ===
106
107	{{smallcaps}}Ldap{{/smallcaps}} base DN used for looking up authenticated users.
108
109	{{code language="none"}}
110	Example: ou="users", dc="example", dc="de"
111	{{/code}}
112
113
114
115	== Settings for Kerberos authentication ==
116
117	{{figure image="single_sign_on_kerberos_en.png" width="600"}}
118	User interface for editing the settings for Kerberos authentication. Available only when the license includes this option.
119	{{/figure}}
120
121	Kerberos can be used to authenticate form users. This is often used for internal forms meant only for the employees of a company. The data of the current user can be retrieved from an active directory as well.
122
123	Kerberos authentication is available only when the license includes this option.
124
125	=== Use Kerberos ===
126
127	Activate this switch to enable Kerberos authentication.
128
129	=== Synchronize with frontend server ===
130
131	When activated, all changes to the configuration will be sent to all available frontend servers.
132
133	=== Username ===
134
135	The Window Domain account required for accessing the Key Distribution Center (KDC) and beginning the authentication process.
136
137	Normally this is the user account of the active directory that is setup as a service account.
138
139	{{info}}
140	When no //default_realm// has been specified in the section //[libdefaults]// of the file //krb5.conf//, you will need to enter the username with a domain (FQDN).
141	Example: user@EXCAMPLE.COM
142	{{/info}}
143
144	{{info}}
145	To this user you must, in Active Directory for example, register the Domians to be used as ServiePrincipalName beginning with the service class HTTP. You can find more information [[here>>https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx\|\|target="_blank"]] or [[here>>https://docs.microsoft.com/en-us/windows-server/networking/sdn/security/kerberos-with-spn\|\|target="_blank"]].
146	{{/info}}
147
148	(% class="wikigeneratedid" %)
149	=== Password ===
150
151	Password of the service account.
152
153	=== File krb5.conf ===
154
155	Enter the content of the file //krb5.conf//, ie. the configuration file for Kerberos.
156
157	Among other settings, the available encryption methods, the current real and its mapping to a KDC should be set.
158
159	==== File structure ====
160
161	The file format is similar to Windows INI files. It contains of individual sections, introduced by their names in brackets. Each section may or may not contain several key-value pairs:
162
163	{{code language="javascript" title=""}}
164	foo = bar
165	{{/code}}
166
167	or
168
169	{{code language="javascript" title=""}}
170	foobar = {
171	foo = bar
172	some = input
173	}
174	{{/code}}
175
176	==== Section names ====
177
178	* {{litem title="[libdefaults]"}} Contains settings used by the Kerberos library v5.{{/litem}}
179	* {{litem title="[realms]~}~} Realm-specific settings and contact information.{{/litem~}~}
180	* {{litem title="}}A list of supported session key encryption methods that should be requested by the client when performing an AS (authentication server) request. The priority of each method is given by the order in which they have been specified, the first one being the method with the highest priority. Several methods can be separated with commas or spaces.{{/litem}}
181	* ~{~{litem title="default_tgs_enctypes}}A list of supported session key encryption methods that should be requested by the client when performing a TGS (ticket granting server) request. The priority of each method is given by the order in which they have been specified, the first one being the method with the highest priority. Several methods can be separated with commas or spaces.~{~{/litem}}
182	* {{litem title="permitted_enctypes"}}: A list of all allowed session key encryption methods.{{/litem}}
183
184	A simple configuration for the //[libdefaults]// section might look as follows:
185
186	{{code language="javascript" title=""}}
187	[libdefaults]
188	default_realm = EXAMPLE.COM
189	default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
190	default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
191	permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
192	{{/code}}
193
194	===== [realms] =====
195
196	Each key in the //[realms]// section represents the name of a Kerberos realm. The value is a list of mappings, defining the properties of each realm. The following properties can be set:
197
198	* kdc: The name or address of a server running a KDC (key distribution center) for this realm, usually the server with the active directory. When necessary, the port number can be specified by appending it separated by a column.
199
200	A simple configuration for the //[realms]// section might look as follows:
201
202	{{code language="javascript" title=""}}
203	[realms]
204	EXAMPLE.COM = {
205	kdc = domain.example.com
206	}
207	{{/code}}
208
209	===== [domain_realm] =====
210
211	The section //[domain_realm]// contains a mapping from domain names or host names to Kerberos realm names. The key can be a host or domain name, but domain names must be prefixed with a period. The value must be the name of a Kerberos realm for this host or domain. Host and domain names should be spelled with lower case letters.
212
213	A simple configuration for the //[domain_realm]// section might look as follows:
214
215	{{code language="javascript" title=""}}
216	[domain_realm]
217	.example.com = EXAMPLE.COM
218	{{/code}}
219
220	=== File login.conf ===
221
222	The content of the file //login.conf//, which contains login-related settings such as the authentication method between clients and servers.
223
224	A sample configuration might look as follows:
225
226	{{code language="java" title=""}}
227	spnego-client {
228	com.sun.security.auth.module.Krb5LoginModule required;
229	};
230
231	spnego-server {
232	com.sun.security.auth.module.Krb5LoginModule required
233	refreshKrb5Config=true
234	storeKey=true
235	isInitiator=false;
236	};
237	{{/code}}
238
239	=== Client module name ===
240
241	The name in the //login.conf// file for the client to be used, eg. {{code language="none"}}spnego-client{{/code}}.
242
243	=== Server module name ===
244
245	The name in the //login.conf// file for the server to be used, eg. {{code language="none"}}spnego-server{{/code}}.
246
247	{{error}}
248	When you keep getting a HTTP 400 error with Kerberos activated, the most likely cause is that the HTTP header size of the Kerberos ticket exceeds the default header size limit of the application server, eg. Tomcat of JBoss. See the help pages on [[changing the HTTP header size limit>>doc:Formcycle.SystemSettings.TomcatSettings.LimitHTTPHeader]].
249	{{/error}}
250
251	== LDAP user search ==
252
253	The following settings are required to retrieve information about the authenticated user from an {{smallcaps}}Ldap{{/smallcaps}} (MS active directory). This data is then available in the form and can be accessed by JavaScript code.
254
255	=== Domain controller host ===
256
257	FQN (fully qualified name) and port of the active directory controller.
258
259	Example: {{code language="none"}}domain.example.com Port: 389{{/code}}
260
261	=== SSL connection ===
262
263	When activated, all communications with the LDAP server will be encrypted with SSL.
264
265	=== Referral hops ===
266
267	The maximum number of referral hops that may be performed on the LDAP server. Setting this to {{code language="none"}}0{{/code}} deactivates referral hops and no references will be followed.
268
269	=== User account (with domain) ===
270
271	This account must have been granted permission to send search queries to the active directory.
272
273	{{info}}
274	This needs to be a username suffixed with the domain.
275	Example: {{code language="none"}}user@EXCAMPLE.COM{{/code}}
276	{{/info}}
277
278	=== User account password ===
279
280	Password for the user account.
281
282	=== Base DN for user lookup ===
283
284	The LDAP baseDN used for looking up the authenticated user.
285
286	Example: {{code language="none"}}ou="intern", dc="example", dc="com"{{/code}}
287
288	== Make user data available to forms ==
289
290	The LDAP user data for the currently authenticated user are stored in the JavaScript object {{code language="none"}}window.XFC_METADATA.user.rawData{{/code}} and can be accessed via JavaScript.
291
292	{{info}}
293	Which data the JSON structure contains under the rawData property depends mainly on the read rights of the LDAP account, which executes the user search in the LDAP system.
294	{{/info}}
295
296	To access the property ~/~/userPrincipalName~/~/ of the user from JavaScript, use the following code:
297
298	{{code language="javascript"}}
299	try {
300	// Auslesen der Property und Anzeige in einem Label
301	var elem = $('[name=txt1]');
302	var ldap = XFC_METADATA.user.rawData;
303	if(ldap.hasOwnProperty('userPrincipalName')) {
304	elem.html(ldap.userPrincipalName);
305	}
306	} catch (err) {}
307	{{/code}}

1

//Single sign-on// for {{smallcaps}}Ntlm{{/smallcaps}} and Kerberos is a {{formcycle/}} license module which is subject to additional costs.

User interface for setting up {{smallcaps}}Ldap{{/smallcaps}} authentication via {{smallcaps}}Ntlm{{/smallcaps}}. Available only if the license allows it.

7

8

9

{{smallcaps}}Ntlm{{/smallcaps}} (NT LAN Manager) can be used to authenticate users of a form.

10

11

A common use case are forms used internally by some company, and that may be accessed only by the employees of that company. The user data of the active directory can be accessed via {{smallcaps}}Ntlm{{/smallcaps}}.

12

13

14

{{smallcaps}}Ntlm{{/smallcaps}} may not be available depending on your license.

== Using NTLM ==

Activate this option to use {{smallcaps}}Ntlm{{/smallcaps}}.

20

21

=== Synchronize with {{fserver/}} ===

22

23

Activate this option to transmit the current configuration to all connected and available {{fserver number="plural"/}} when saving these settings.

24

25

=== Domain controller host ===

26

27

The host (FQN) of the active directory controller used for authenticating users via {{smallcaps}}Ntlm{{/smallcaps}} and transmitting their data over {{smallcaps}}Ldap{{/smallcaps}}.

28

29

30

Example: domain.example.com

31

32

33

Connection to the {{smallcaps}}Ldap{{/smallcaps}} server for the {{smallcaps}}Ldap{{/smallcaps}} search account has been established successfully

34

35

== NTLM authentication ==

36

37

The following settings are required for enabling users to authenticate via {{smallcaps}}Ntlm{{/smallcaps}}.

38

39

=== Host name of the domain controller host ===

40

41

The host name of the active directory controller.

Example: domain

=== Windows domain name ===

48

49

Different forms of the domain name can be used depending on the active directory.

50

51

52

Example: example.de oder example0

Here you must specify the domain name to which the user accounts to be authenticated belong.

57

This domain name may be different from the domain of the computer account (This is the computer's NetBIOS name, not the DNS / FQDN name).

58

59

The Windows domain name to be used can be determined, for example, by opening a Windows console (//Start / Run / cmd//) on a client logged into the domain and entering the following command:

60

**echo %userdomain%**

61

62

63

=== Computer account ===

64

65

The computer account must have been granted permission to perform user verification. It **must not be** a regular user account.

66

67

68

A computer account is recognizable by the '$' character in the domain name. e.g. example$@domain.de

69

70

71

Help pages of ca technologies on [[creating a computer account for NTLM authentication on active directory server.>>https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-3/policy-assertions/assertion-palette/access-control-assertions/require-ntlm-authentication-credentials-assertion/creating-a-computer-account-for-ntlm-authentication.html||rel="__blank" title="Creating a Computer Account for NTLM Authentication"]]

72

73

=== computer account password ===

74

75

Password of the computer account.

76

77

== LDAP user lookup ==

78

79

The following settings concern the user lookup after a successful {{smallcaps}}Ntlm{{/smallcaps}} authenication.

=== Port ===

The port for connecting to the {{smallcaps}}Ldap{{/smallcaps}} server for the user lookup.

84

85

=== SSL encryption ===

86

87

Enables SSL encryption when communicating the the {{smallcaps}}Ldap{{/smallcaps}} server.

=== Hop count ===

The number of hop counts or referrals. Setting this to 0 disables following references.

92

93

=== User account (with domain) ===

94

95

Account to be used for looking up users. It must have been granted permission to perform user lookup.

96

97

98

Example: ldap@example.de

99

100

101

=== User account password ===

102

103

Password of the user account.

104

105

=== Base DN für user lookup ===

106

107

{{smallcaps}}Ldap{{/smallcaps}} base DN used for looking up authenticated users.

108

109

110

Example: ou="users", dc="example", dc="de"

== Settings for Kerberos authentication ==

116

117

118

User interface for editing the settings for Kerberos authentication. Available only when the license includes this option.

119

120

121

Kerberos can be used to authenticate form users. This is often used for internal forms meant only for the employees of a company. The data of the current user can be retrieved from an active directory as well.

122

123

Kerberos authentication is available only when the license includes this option.

=== Use Kerberos ===

Activate this switch to enable Kerberos authentication.

128

129

=== Synchronize with frontend server ===

130

131

When activated, all changes to the configuration will be sent to all available frontend servers.

=== Username ===

The Window Domain account required for accessing the Key Distribution Center (KDC) and beginning the authentication process.

136

137

Normally this is the user account of the active directory that is setup as a service account.

138

139

140

When no //default_realm// has been specified in the section //[libdefaults]// of the file //krb5.conf//, you will need to enter the username with a domain (FQDN).

141

Example: user@EXCAMPLE.COM

To this user you must, in Active Directory for example, register the Domians to be used as ServiePrincipalName beginning with the service class HTTP. You can find more information [[here>>https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx||target="_blank"]] or [[here>>https://docs.microsoft.com/en-us/windows-server/networking/sdn/security/kerberos-with-spn||target="_blank"]].

146

147

148

(% class="wikigeneratedid" %)

149

=== Password ===

150

151

Password of the service account.

152

153

=== File krb5.conf ===

154

155

Enter the content of the file //krb5.conf//, ie. the configuration file for Kerberos.

156

157

Among other settings, the available encryption methods, the current real and its mapping to a KDC should be set.

158

159

==== File structure ====

160

161

The file format is similar to Windows INI files. It contains of individual sections, introduced by their names in brackets. Each section may or may not contain several key-value pairs:

foo = bar

or

foobar = {

foo = bar

some = input

}

==== Section names ====

177

178

* {{litem title="[libdefaults]"}} Contains settings used by the Kerberos library v5.{{/litem}}

179

* {{litem title="[realms]~}~} Realm-specific settings and contact information.{{/litem~}~}

180

* {{litem title="}}A list of supported session key encryption methods that should be requested by the client when performing an AS (authentication server) request. The priority of each method is given by the order in which they have been specified, the first one being the method with the highest priority. Several methods can be separated with commas or spaces.{{/litem}}

181

* ~{~{litem title="default_tgs_enctypes}}A list of supported session key encryption methods that should be requested by the client when performing a TGS (ticket granting server) request. The priority of each method is given by the order in which they have been specified, the first one being the method with the highest priority. Several methods can be separated with commas or spaces.~{~{/litem}}

182

* {{litem title="permitted_enctypes"}}: A list of all allowed session key encryption methods.{{/litem}}

183

184

A simple configuration for the //[libdefaults]// section might look as follows:

[libdefaults]

default_realm = EXAMPLE.COM

189

default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4

190

default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4

191

permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4

===== [realms] =====

Each key in the //[realms]// section represents the name of a Kerberos realm. The value is a list of mappings, defining the properties of each realm. The following properties can be set:

197

198

* kdc: The name or address of a server running a KDC (key distribution center) for this realm, usually the server with the active directory. When necessary, the port number can be specified by appending it separated by a column.

199

200

A simple configuration for the //[realms]// section might look as follows:

[realms]

EXAMPLE.COM = {

kdc = domain.example.com

}

===== [domain_realm] =====

210

211

The section //[domain_realm]// contains a mapping from domain names or host names to Kerberos realm names. The key can be a host or domain name, but domain names must be prefixed with a period. The value must be the name of a Kerberos realm for this host or domain. Host and domain names should be spelled with lower case letters.

212

213

A simple configuration for the //[domain_realm]// section might look as follows:

[domain_realm]

.example.com = EXAMPLE.COM

218

219

220

=== File login.conf ===

221

222

The content of the file //login.conf//, which contains login-related settings such as the authentication method between clients and servers.

223

224

A sample configuration might look as follows:

spnego-client {

com.sun.security.auth.module.Krb5LoginModule required;

};

spnego-server {

com.sun.security.auth.module.Krb5LoginModule required

233

refreshKrb5Config=true

storeKey=true

isInitiator=false;

};

=== Client module name ===

240

241

The name in the //login.conf// file for the client to be used, eg. {{code language="none"}}spnego-client{{/code}}.

242

243

=== Server module name ===

244

245

The name in the //login.conf// file for the server to be used, eg. {{code language="none"}}spnego-server{{/code}}.

246

247

248

When you keep getting a HTTP 400 error with Kerberos activated, the most likely cause is that the HTTP header size of the Kerberos ticket exceeds the default header size limit of the application server, eg. Tomcat of JBoss. See the help pages on [[changing the HTTP header size limit>>doc:Formcycle.SystemSettings.TomcatSettings.LimitHTTPHeader]].

249

250

251

== LDAP user search ==

252

253

The following settings are required to retrieve information about the authenticated user from an {{smallcaps}}Ldap{{/smallcaps}} (MS active directory). This data is then available in the form and can be accessed by JavaScript code.

254

255

=== Domain controller host ===

256

257

FQN (fully qualified name) and port of the active directory controller.

258

259

Example: {{code language="none"}}domain.example.com Port: 389{{/code}}

260

261

=== SSL connection ===

262

263

When activated, all communications with the LDAP server will be encrypted with SSL.

264

265

=== Referral hops ===

266

267

The maximum number of referral hops that may be performed on the LDAP server. Setting this to {{code language="none"}}0{{/code}} deactivates referral hops and no references will be followed.

268

269

=== User account (with domain) ===

270

271

This account must have been granted permission to send search queries to the active directory.

272

273

274

This needs to be a username suffixed with the domain.

275

Example: {{code language="none"}}user@EXCAMPLE.COM{{/code}}

276

277

278

=== User account password ===

279

280

Password for the user account.

281

282

=== Base DN for user lookup ===

283

284

The LDAP baseDN used for looking up the authenticated user.

285

286

Example: {{code language="none"}}ou="intern", dc="example", dc="com"{{/code}}

287

288

== Make user data available to forms ==

289

290

The LDAP user data for the currently authenticated user are stored in the JavaScript object {{code language="none"}}window.XFC_METADATA.user.rawData{{/code}} and can be accessed via JavaScript.

291

292

293

Which data the JSON structure contains under the rawData property depends mainly on the read rights of the LDAP account, which executes the user search in the LDAP system.

294

295

296

To access the property ~/~/userPrincipalName~/~/ of the user from JavaScript, use the following code:

try {

// Auslesen der Property und Anzeige in einem Label

301

var elem = $('[name=txt1]');