Negotiate authentication scheme

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Negotiate authentication scheme

Bo Norgaard
Hi

When Microsoft Word opens a file on the webdav server is uses BASIC
authentication when I set it up with a direct connection to a tomcat
web server. This works perfect and users are able to open, edit and
save documents.

When using a Microsoft IIS as web server as frontend to tomcat, it
wants to use NEGOTIATE authentication.

Have you implemented NEGOTIATE in a Authentication Handler, and know
of any documentation or help that would make the implementation
easier, then any help would be appreciated...

Best regards

Bo Norgaard  ( [hidden email] )
CTO, Product Manager

Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025 8031
_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate authentication scheme

bradmacnz

Hi Bo,

I'm not aware of any implementations of NEGOTIATE with milton. And part
of the webdav discovery process is advertising what authentication
mechanisms are supported, so clients should not be sending an
authentication mechanism which is not supported.

My guess is that IIS is sending something to the client indicating that
NEGOTIATE is supported. Hopefully there is some way to suppress that
(whatever it is)

/Brad

On 13/05/14 19:52, Bo Norgaard wrote:

> Hi
>
> When Microsoft Word opens a file on the webdav server is uses BASIC
> authentication when I set it up with a direct connection to a tomcat
> web server. This works perfect and users are able to open, edit and
> save documents.
>
> When using a Microsoft IIS as web server as frontend to tomcat, it
> wants to use NEGOTIATE authentication.
>
> Have you implemented NEGOTIATE in a Authentication Handler, and know
> of any documentation or help that would make the implementation
> easier, then any help would be appreciated...
>
> Best regards
>
> Bo Norgaard  ( [hidden email] )
> CTO, Product Manager
>
> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025 8031
> _______________________________________________
> Milton-users mailing list
> [hidden email]
> http://lists.justthe.net/mailman/listinfo/milton-users

_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate authentication scheme

bravocharlie
See here - http://support.microsoft.com/kb/2123563

Word has Basic auth disabled unless you are using SSL.

Hope that helps

Ben Catherall


On 13 May 2014 08:55, Brad McEvoy <[hidden email]> wrote:

Hi Bo,

I'm not aware of any implementations of NEGOTIATE with milton. And part of the webdav discovery process is advertising what authentication mechanisms are supported, so clients should not be sending an authentication mechanism which is not supported.

My guess is that IIS is sending something to the client indicating that NEGOTIATE is supported. Hopefully there is some way to suppress that (whatever it is)

/Brad


On 13/05/14 19:52, Bo Norgaard wrote:
Hi

When Microsoft Word opens a file on the webdav server is uses BASIC
authentication when I set it up with a direct connection to a tomcat
web server. This works perfect and users are able to open, edit and
save documents.

When using a Microsoft IIS as web server as frontend to tomcat, it
wants to use NEGOTIATE authentication.

Have you implemented NEGOTIATE in a Authentication Handler, and know
of any documentation or help that would make the implementation
easier, then any help would be appreciated...

Best regards

Bo Norgaard  ( [hidden email] )
CTO, Product Manager

Neupart A/S    www.neupart.com     Phone: <a href="tel:%2B45%207025%208030" value="+4570258030" target="_blank">+45 7025 8030      Fax: <a href="tel:%2B45%207025%208031" value="+4570258031" target="_blank">+45 7025 8031
_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users

_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users


_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate authentication scheme

bradmacnz

thanks Ben :)

On 13/05/14 21:17, Ben Catherall wrote:
See here - http://support.microsoft.com/kb/2123563

Word has Basic auth disabled unless you are using SSL.

Hope that helps

Ben Catherall


On 13 May 2014 08:55, Brad McEvoy <[hidden email]> wrote:

Hi Bo,

I'm not aware of any implementations of NEGOTIATE with milton. And part of the webdav discovery process is advertising what authentication mechanisms are supported, so clients should not be sending an authentication mechanism which is not supported.

My guess is that IIS is sending something to the client indicating that NEGOTIATE is supported. Hopefully there is some way to suppress that (whatever it is)

/Brad


On 13/05/14 19:52, Bo Norgaard wrote:
Hi

When Microsoft Word opens a file on the webdav server is uses BASIC
authentication when I set it up with a direct connection to a tomcat
web server. This works perfect and users are able to open, edit and
save documents.

When using a Microsoft IIS as web server as frontend to tomcat, it
wants to use NEGOTIATE authentication.

Have you implemented NEGOTIATE in a Authentication Handler, and know
of any documentation or help that would make the implementation
easier, then any help would be appreciated...

Best regards

Bo Norgaard  ( [hidden email] )
CTO, Product Manager

Neupart A/S    www.neupart.com     Phone: <a moz-do-not-send="true" href="tel:%2B45%207025%208030" value="+4570258030" target="_blank">+45 7025 8030      Fax: <a moz-do-not-send="true" href="tel:%2B45%207025%208031" value="+4570258031" target="_blank">+45 7025 8031
_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users

_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users



_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate authentication scheme

Bo Norgaard
Hi

Yes I know, Word (from version 2008) will only allow you to edit
documents if they are fetched over SSL.

I have implemented an AuthenticationHandler and when I connect with
SSL directly to tomcat I get:

- a call to supports() with Auth scheme BASIC for which I return true
- a call to authenticate() with the username and password and I return
a UserInfo class on success

the UserInfo is then used in call to methods in my
FileResourceController, perfect.


When I connect with SSL through IIS I get:

- a call to supports() with Auth scheme NEGOTIATE for which I return true.

and then the fileResourceController is called with no user information.

In the supports() method I tried to authenticate the negotiated user
with Active directory and it works perfectly, but I have no place to
add or return the UserInfo for the negotiated user.

How can I add the UserInfo class to milton httpHandler from the
supports() method? Or can I configure it to call authenticate() in the
AuthenticationHandler for the NEGOTIATE scheme, so I can return the
UserInfo class?

I am so close to success... ;-)

Best regards

Bo Norgaard  ( [hidden email] )
CTO, Product Manager

Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025 8031


2014-05-13 23:00 GMT+02:00 Brad McEvoy <[hidden email]>:

>
> thanks Ben :)
>
> On 13/05/14 21:17, Ben Catherall wrote:
>
> See here - http://support.microsoft.com/kb/2123563
>
> Word has Basic auth disabled unless you are using SSL.
>
> Hope that helps
>
> Ben Catherall
>
>
> On 13 May 2014 08:55, Brad McEvoy <[hidden email]> wrote:
>>
>>
>> Hi Bo,
>>
>> I'm not aware of any implementations of NEGOTIATE with milton. And part of
>> the webdav discovery process is advertising what authentication mechanisms
>> are supported, so clients should not be sending an authentication mechanism
>> which is not supported.
>>
>> My guess is that IIS is sending something to the client indicating that
>> NEGOTIATE is supported. Hopefully there is some way to suppress that
>> (whatever it is)
>>
>> /Brad
>>
>>
>> On 13/05/14 19:52, Bo Norgaard wrote:
>>>
>>> Hi
>>>
>>> When Microsoft Word opens a file on the webdav server is uses BASIC
>>> authentication when I set it up with a direct connection to a tomcat
>>> web server. This works perfect and users are able to open, edit and
>>> save documents.
>>>
>>> When using a Microsoft IIS as web server as frontend to tomcat, it
>>> wants to use NEGOTIATE authentication.
>>>
>>> Have you implemented NEGOTIATE in a Authentication Handler, and know
>>> of any documentation or help that would make the implementation
>>> easier, then any help would be appreciated...
>>>
>>> Best regards
>>>
>>> Bo Norgaard  ( [hidden email] )
>>> CTO, Product Manager
>>>
>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45
>>> 7025 8031
>>> _______________________________________________
>>> Milton-users mailing list
>>> [hidden email]
>>> http://lists.justthe.net/mailman/listinfo/milton-users
>>
>>
>> _______________________________________________
>> Milton-users mailing list
>> [hidden email]
>> http://lists.justthe.net/mailman/listinfo/milton-users
>
>
>
>
> _______________________________________________
> Milton-users mailing list
> [hidden email]
> http://lists.justthe.net/mailman/listinfo/milton-users
>
_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate authentication scheme

bravocharlie
Hi Bo,

When you say connect to IIS - is this IIS with Tomcat behind? Which connector are you using?

Ben Catherall


On 15 May 2014 15:31, Bo Norgaard <[hidden email]> wrote:
Hi

Yes I know, Word (from version 2008) will only allow you to edit
documents if they are fetched over SSL.

I have implemented an AuthenticationHandler and when I connect with
SSL directly to tomcat I get:

- a call to supports() with Auth scheme BASIC for which I return true
- a call to authenticate() with the username and password and I return
a UserInfo class on success

the UserInfo is then used in call to methods in my
FileResourceController, perfect.


When I connect with SSL through IIS I get:

- a call to supports() with Auth scheme NEGOTIATE for which I return true.

and then the fileResourceController is called with no user information.

In the supports() method I tried to authenticate the negotiated user
with Active directory and it works perfectly, but I have no place to
add or return the UserInfo for the negotiated user.

How can I add the UserInfo class to milton httpHandler from the
supports() method? Or can I configure it to call authenticate() in the
AuthenticationHandler for the NEGOTIATE scheme, so I can return the
UserInfo class?

I am so close to success... ;-)

Best regards

Bo Norgaard  ( [hidden email] )
CTO, Product Manager

Neupart A/S    www.neupart.com     Phone: <a href="tel:%2B45%207025%208030" value="+4570258030" target="_blank">+45 7025 8030      Fax: <a href="tel:%2B45%207025%208031" value="+4570258031" target="_blank">+45 7025 8031


2014-05-13 23:00 GMT+02:00 Brad McEvoy <[hidden email]>:
>
> thanks Ben :)
>
> On 13/05/14 21:17, Ben Catherall wrote:
>
> See here - http://support.microsoft.com/kb/2123563
>
> Word has Basic auth disabled unless you are using SSL.
>
> Hope that helps
>
> Ben Catherall
>
>
> On 13 May 2014 08:55, Brad McEvoy <[hidden email]> wrote:
>>
>>
>> Hi Bo,
>>
>> I'm not aware of any implementations of NEGOTIATE with milton. And part of
>> the webdav discovery process is advertising what authentication mechanisms
>> are supported, so clients should not be sending an authentication mechanism
>> which is not supported.
>>
>> My guess is that IIS is sending something to the client indicating that
>> NEGOTIATE is supported. Hopefully there is some way to suppress that
>> (whatever it is)
>>
>> /Brad
>>
>>
>> On 13/05/14 19:52, Bo Norgaard wrote:
>>>
>>> Hi
>>>
>>> When Microsoft Word opens a file on the webdav server is uses BASIC
>>> authentication when I set it up with a direct connection to a tomcat
>>> web server. This works perfect and users are able to open, edit and
>>> save documents.
>>>
>>> When using a Microsoft IIS as web server as frontend to tomcat, it
>>> wants to use NEGOTIATE authentication.
>>>
>>> Have you implemented NEGOTIATE in a Authentication Handler, and know
>>> of any documentation or help that would make the implementation
>>> easier, then any help would be appreciated...
>>>
>>> Best regards
>>>
>>> Bo Norgaard  ( [hidden email] )
>>> CTO, Product Manager
>>>
>>> Neupart A/S    www.neupart.com     Phone: <a href="tel:%2B45%207025%208030" value="+4570258030" target="_blank">+45 7025 8030      Fax: +45
>>> 7025 8031
>>> _______________________________________________
>>> Milton-users mailing list
>>> [hidden email]
>>> http://lists.justthe.net/mailman/listinfo/milton-users
>>
>>
>> _______________________________________________
>> Milton-users mailing list
>> [hidden email]
>> http://lists.justthe.net/mailman/listinfo/milton-users
>
>
>
>
> _______________________________________________
> Milton-users mailing list
> [hidden email]
> http://lists.justthe.net/mailman/listinfo/milton-users
>
_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users


_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate authentication scheme

Bo Norgaard
Hi Ben

Yes, Tomcat is running the application and listening on 8443, IIS is running on port 443 and uses the standard Apache Tomcat redirector to forward all requests to tomcat.

/Bo

Den torsdag den 15. maj 2014 skrev Ben Catherall <[hidden email]>:
Hi Bo,

When you say connect to IIS - is this IIS with Tomcat behind? Which connector are you using?

Ben Catherall


On 15 May 2014 15:31, Bo Norgaard <[hidden email]> wrote:
Hi

Yes I know, Word (from version 2008) will only allow you to edit
documents if they are fetched over SSL.

I have implemented an AuthenticationHandler and when I connect with
SSL directly to tomcat I get:

- a call to supports() with Auth scheme BASIC for which I return true
- a call to authenticate() with the username and password and I return
a UserInfo class on success

the UserInfo is then used in call to methods in my
FileResourceController, perfect.


When I connect with SSL through IIS I get:

- a call to supports() with Auth scheme NEGOTIATE for which I return true.

and then the fileResourceController is called with no user information.

In the supports() method I tried to authenticate the negotiated user
with Active directory and it works perfectly, but I have no place to
add or return the UserInfo for the negotiated user.

How can I add the UserInfo class to milton httpHandler from the
supports() method? Or can I configure it to call authenticate() in the
AuthenticationHandler for the NEGOTIATE scheme, so I can return the
UserInfo class?

I am so close to success... ;-)

Best regards

Bo Norgaard  ( [hidden email] )
CTO, Product Manager

Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025 8031


2014-05-13 23:00 GMT+02:00 Brad McEvoy <[hidden email]>:
>
> thanks Ben :)
>
> On 13/05/14 21:17, Ben Catherall wrote:
>
> See here - http://support.microsoft.com/kb/2123563
>
> Word has Basic auth disabled unless you are using SSL.
>
> Hope that helps
>
> Ben Catherall
>
>
> On 13 May 2014 08:55, Brad McEvoy <[hidden email]> wrote:
>>
>>
>> Hi Bo,
>>
>> I'm not aware of any implementations of NEGOTIATE with milton. And part of
>> the webdav discovery process is advertising what authentication mechanisms
>> are supported, so clients should not be sending an authentication mechanism
>> which is not supported.
>>
>> My guess is that IIS is sending something to the client indicating that
>> NEGOTIATE is supported. Hopefully there is some way to suppress that
>> (whatever it is)
>>
>> /Brad
>>
>>
>> On 13/05/14 19:52, Bo Norgaard wrote:
>>>
>>> Hi
>>>
>>> When Microsoft Word opens a file on the webdav server is uses BASIC
>>> authentication when I set it up with a direct connection to a tomcat
>>> web server. This works perfect and users are able to open, edit and
>>> save documents.
>>>
>>> When using a Microsoft IIS as web server as frontend to tomcat, it
>>> wants to use NEGOTIATE authentication.
>>>
>>> Have you implemented NEGOTIATE in a Authentication Handler, and know
>>> of any documentation or help that would make the implementation
>>> easier, then any help would be appreciated...
>>>
>>> Best regards
>>>
>>> Bo Norgaard  ( [hidden email] )
>>> CTO, Product Manager
>>>
>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45
>>> 7025 8031
>>> _______________________________________________
>>> Milton-users mailing list
>>> [hidden email]
>>> http:/


--
Best regards

Bo Norgaard  ( [hidden email] )
CTO, Product Manager

Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025 8031


_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate authentication scheme

bravocharlie
Hi Bo,

Under IIS Sites -> Your site -> Authentication, have you disabled all authentication methods other than Anonymous?  I had to do this to get things working (slightly different issue, but worth checking if you haven't already).

Thanks

Ben

Ben Catherall


On 15 May 2014 21:19, Bo Norgaard <[hidden email]> wrote:
Hi Ben

Yes, Tomcat is running the application and listening on 8443, IIS is running on port 443 and uses the standard Apache Tomcat redirector to forward all requests to tomcat.

/Bo

Den torsdag den 15. maj 2014 skrev Ben Catherall <[hidden email]>:

Hi Bo,

When you say connect to IIS - is this IIS with Tomcat behind? Which connector are you using?

Ben Catherall


On 15 May 2014 15:31, Bo Norgaard <[hidden email]> wrote:
Hi

Yes I know, Word (from version 2008) will only allow you to edit
documents if they are fetched over SSL.

I have implemented an AuthenticationHandler and when I connect with
SSL directly to tomcat I get:

- a call to supports() with Auth scheme BASIC for which I return true
- a call to authenticate() with the username and password and I return
a UserInfo class on success

the UserInfo is then used in call to methods in my
FileResourceController, perfect.


When I connect with SSL through IIS I get:

- a call to supports() with Auth scheme NEGOTIATE for which I return true.

and then the fileResourceController is called with no user information.

In the supports() method I tried to authenticate the negotiated user
with Active directory and it works perfectly, but I have no place to
add or return the UserInfo for the negotiated user.

How can I add the UserInfo class to milton httpHandler from the
supports() method? Or can I configure it to call authenticate() in the
AuthenticationHandler for the NEGOTIATE scheme, so I can return the
UserInfo class?

I am so close to success... ;-)

Best regards

Bo Norgaard  ( [hidden email] )
CTO, Product Manager

Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025 8031


2014-05-13 23:00 GMT+02:00 Brad McEvoy <[hidden email]>:
>
> thanks Ben :)
>
> On 13/05/14 21:17, Ben Catherall wrote:
>
> See here - http://support.microsoft.com/kb/2123563
>
> Word has Basic auth disabled unless you are using SSL.
>
> Hope that helps
>
> Ben Catherall
>
>
> On 13 May 2014 08:55, Brad McEvoy <[hidden email]> wrote:
>>
>>
>> Hi Bo,
>>
>> I'm not aware of any implementations of NEGOTIATE with milton. And part of
>> the webdav discovery process is advertising what authentication mechanisms
>> are supported, so clients should not be sending an authentication mechanism
>> which is not supported.
>>
>> My guess is that IIS is sending something to the client indicating that
>> NEGOTIATE is supported. Hopefully there is some way to suppress that
>> (whatever it is)
>>
>> /Brad
>>
>>
>> On 13/05/14 19:52, Bo Norgaard wrote:
>>>
>>> Hi
>>>
>>> When Microsoft Word opens a file on the webdav server is uses BASIC
>>> authentication when I set it up with a direct connection to a tomcat
>>> web server. This works perfect and users are able to open, edit and
>>> save documents.
>>>
>>> When using a Microsoft IIS as web server as frontend to tomcat, it
>>> wants to use NEGOTIATE authentication.
>>>
>>> Have you implemented NEGOTIATE in a Authentication Handler, and know
>>> of any documentation or help that would make the implementation
>>> easier, then any help would be appreciated...
>>>
>>> Best regards
>>>
>>> Bo Norgaard  ( [hidden email] )
>>> CTO, Product Manager
>>>
>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45
>>> 7025 8031
>>> _______________________________________________
>>> Milton-users mailing list
>>> [hidden email]
>>> http:/


--
Best regards

Bo Norgaard  ( [hidden email] )
CTO, Product Manager

Neupart A/S    www.neupart.com     Phone: <a href="tel:%2B45%207025%208030" value="+4570258030" target="_blank">+45 7025 8030      Fax: <a href="tel:%2B45%207025%208031" value="+4570258031" target="_blank">+45 7025 8031



_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate authentication scheme

Bo Norgaard
Hi Ben

Yes, I did try that, but it was not working.

Most of our customer is using windows authentication anyway, to make
single sign on on our web app, so the best solution was to get the
negotiate scheme working.

Now - finally I got it working, AD users get validated by IIS
automatically and can enter the web site, and edit documents in Word
and Excel without being prompted for credentials. Perfect, and much
better than the basic authentication solution (which is still working
if IIS is not used as front-end server).

Best regards

Bo Norgaard  ( [hidden email] )
CTO, Product Manager

Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025 8031


2014-05-16 20:54 GMT+02:00 Ben Catherall <[hidden email]>:

> Hi Bo,
>
> Under IIS Sites -> Your site -> Authentication, have you disabled all
> authentication methods other than Anonymous?  I had to do this to get things
> working (slightly different issue, but worth checking if you haven't
> already).
>
> Thanks
>
> Ben
>
> Ben Catherall
>
>
> On 15 May 2014 21:19, Bo Norgaard <[hidden email]> wrote:
>>
>> Hi Ben
>>
>> Yes, Tomcat is running the application and listening on 8443, IIS is
>> running on port 443 and uses the standard Apache Tomcat redirector to
>> forward all requests to tomcat.
>>
>> /Bo
>>
>> Den torsdag den 15. maj 2014 skrev Ben Catherall <[hidden email]>:
>>
>>> Hi Bo,
>>>
>>> When you say connect to IIS - is this IIS with Tomcat behind? Which
>>> connector are you using?
>>>
>>> Ben Catherall
>>>
>>>
>>> On 15 May 2014 15:31, Bo Norgaard <[hidden email]> wrote:
>>>
>>> Hi
>>>
>>> Yes I know, Word (from version 2008) will only allow you to edit
>>> documents if they are fetched over SSL.
>>>
>>> I have implemented an AuthenticationHandler and when I connect with
>>> SSL directly to tomcat I get:
>>>
>>> - a call to supports() with Auth scheme BASIC for which I return true
>>> - a call to authenticate() with the username and password and I return
>>> a UserInfo class on success
>>>
>>> the UserInfo is then used in call to methods in my
>>> FileResourceController, perfect.
>>>
>>>
>>> When I connect with SSL through IIS I get:
>>>
>>> - a call to supports() with Auth scheme NEGOTIATE for which I return
>>> true.
>>>
>>> and then the fileResourceController is called with no user information.
>>>
>>> In the supports() method I tried to authenticate the negotiated user
>>> with Active directory and it works perfectly, but I have no place to
>>> add or return the UserInfo for the negotiated user.
>>>
>>> How can I add the UserInfo class to milton httpHandler from the
>>> supports() method? Or can I configure it to call authenticate() in the
>>> AuthenticationHandler for the NEGOTIATE scheme, so I can return the
>>> UserInfo class?
>>>
>>> I am so close to success... ;-)
>>>
>>> Best regards
>>>
>>> Bo Norgaard  ( [hidden email] )
>>> CTO, Product Manager
>>>
>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45
>>> 7025 8031
>>>
>>>
>>> 2014-05-13 23:00 GMT+02:00 Brad McEvoy <[hidden email]>:
>>> >
>>> > thanks Ben :)
>>> >
>>> > On 13/05/14 21:17, Ben Catherall wrote:
>>> >
>>> > See here - http://support.microsoft.com/kb/2123563
>>> >
>>> > Word has Basic auth disabled unless you are using SSL.
>>> >
>>> > Hope that helps
>>> >
>>> > Ben Catherall
>>> >
>>> >
>>> > On 13 May 2014 08:55, Brad McEvoy <[hidden email]> wrote:
>>> >>
>>> >>
>>> >> Hi Bo,
>>> >>
>>> >> I'm not aware of any implementations of NEGOTIATE with milton. And
>>> >> part of
>>> >> the webdav discovery process is advertising what authentication
>>> >> mechanisms
>>> >> are supported, so clients should not be sending an authentication
>>> >> mechanism
>>> >> which is not supported.
>>> >>
>>> >> My guess is that IIS is sending something to the client indicating
>>> >> that
>>> >> NEGOTIATE is supported. Hopefully there is some way to suppress that
>>> >> (whatever it is)
>>> >>
>>> >> /Brad
>>> >>
>>> >>
>>> >> On 13/05/14 19:52, Bo Norgaard wrote:
>>> >>>
>>> >>> Hi
>>> >>>
>>> >>> When Microsoft Word opens a file on the webdav server is uses BASIC
>>> >>> authentication when I set it up with a direct connection to a tomcat
>>> >>> web server. This works perfect and users are able to open, edit and
>>> >>> save documents.
>>> >>>
>>> >>> When using a Microsoft IIS as web server as frontend to tomcat, it
>>> >>> wants to use NEGOTIATE authentication.
>>> >>>
>>> >>> Have you implemented NEGOTIATE in a Authentication Handler, and know
>>> >>> of any documentation or help that would make the implementation
>>> >>> easier, then any help would be appreciated...
>>> >>>
>>> >>> Best regards
>>> >>>
>>> >>> Bo Norgaard  ( [hidden email] )
>>> >>> CTO, Product Manager
>>> >>>
>>> >>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45
>>> >>> 7025 8031
>>> >>> _______________________________________________
>>> >>> Milton-users mailing list
>>> >>> [hidden email]
>>> >>> http:/
>>
>>
>>
>> --
>> Best regards
>>
>> Bo Norgaard  ( [hidden email] )
>> CTO, Product Manager
>>
>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025
>> 8031
>>
>
_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate authentication scheme

bradmacnz

Hi Bo,

Thanks for sharing. So in that setup do any credentials end up being
passed to milton?

/Brad

On 19/05/14 22:52, Bo Norgaard wrote:

> Hi Ben
>
> Yes, I did try that, but it was not working.
>
> Most of our customer is using windows authentication anyway, to make
> single sign on on our web app, so the best solution was to get the
> negotiate scheme working.
>
> Now - finally I got it working, AD users get validated by IIS
> automatically and can enter the web site, and edit documents in Word
> and Excel without being prompted for credentials. Perfect, and much
> better than the basic authentication solution (which is still working
> if IIS is not used as front-end server).
>
> Best regards
>
> Bo Norgaard  ( [hidden email] )
> CTO, Product Manager
>
> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025 8031
>
>
> 2014-05-16 20:54 GMT+02:00 Ben Catherall <[hidden email]>:
>> Hi Bo,
>>
>> Under IIS Sites -> Your site -> Authentication, have you disabled all
>> authentication methods other than Anonymous?  I had to do this to get things
>> working (slightly different issue, but worth checking if you haven't
>> already).
>>
>> Thanks
>>
>> Ben
>>
>> Ben Catherall
>>
>>
>> On 15 May 2014 21:19, Bo Norgaard <[hidden email]> wrote:
>>> Hi Ben
>>>
>>> Yes, Tomcat is running the application and listening on 8443, IIS is
>>> running on port 443 and uses the standard Apache Tomcat redirector to
>>> forward all requests to tomcat.
>>>
>>> /Bo
>>>
>>> Den torsdag den 15. maj 2014 skrev Ben Catherall <[hidden email]>:
>>>
>>>> Hi Bo,
>>>>
>>>> When you say connect to IIS - is this IIS with Tomcat behind? Which
>>>> connector are you using?
>>>>
>>>> Ben Catherall
>>>>
>>>>
>>>> On 15 May 2014 15:31, Bo Norgaard <[hidden email]> wrote:
>>>>
>>>> Hi
>>>>
>>>> Yes I know, Word (from version 2008) will only allow you to edit
>>>> documents if they are fetched over SSL.
>>>>
>>>> I have implemented an AuthenticationHandler and when I connect with
>>>> SSL directly to tomcat I get:
>>>>
>>>> - a call to supports() with Auth scheme BASIC for which I return true
>>>> - a call to authenticate() with the username and password and I return
>>>> a UserInfo class on success
>>>>
>>>> the UserInfo is then used in call to methods in my
>>>> FileResourceController, perfect.
>>>>
>>>>
>>>> When I connect with SSL through IIS I get:
>>>>
>>>> - a call to supports() with Auth scheme NEGOTIATE for which I return
>>>> true.
>>>>
>>>> and then the fileResourceController is called with no user information.
>>>>
>>>> In the supports() method I tried to authenticate the negotiated user
>>>> with Active directory and it works perfectly, but I have no place to
>>>> add or return the UserInfo for the negotiated user.
>>>>
>>>> How can I add the UserInfo class to milton httpHandler from the
>>>> supports() method? Or can I configure it to call authenticate() in the
>>>> AuthenticationHandler for the NEGOTIATE scheme, so I can return the
>>>> UserInfo class?
>>>>
>>>> I am so close to success... ;-)
>>>>
>>>> Best regards
>>>>
>>>> Bo Norgaard  ( [hidden email] )
>>>> CTO, Product Manager
>>>>
>>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45
>>>> 7025 8031
>>>>
>>>>
>>>> 2014-05-13 23:00 GMT+02:00 Brad McEvoy <[hidden email]>:
>>>>> thanks Ben :)
>>>>>
>>>>> On 13/05/14 21:17, Ben Catherall wrote:
>>>>>
>>>>> See here - http://support.microsoft.com/kb/2123563
>>>>>
>>>>> Word has Basic auth disabled unless you are using SSL.
>>>>>
>>>>> Hope that helps
>>>>>
>>>>> Ben Catherall
>>>>>
>>>>>
>>>>> On 13 May 2014 08:55, Brad McEvoy <[hidden email]> wrote:
>>>>>>
>>>>>> Hi Bo,
>>>>>>
>>>>>> I'm not aware of any implementations of NEGOTIATE with milton. And
>>>>>> part of
>>>>>> the webdav discovery process is advertising what authentication
>>>>>> mechanisms
>>>>>> are supported, so clients should not be sending an authentication
>>>>>> mechanism
>>>>>> which is not supported.
>>>>>>
>>>>>> My guess is that IIS is sending something to the client indicating
>>>>>> that
>>>>>> NEGOTIATE is supported. Hopefully there is some way to suppress that
>>>>>> (whatever it is)
>>>>>>
>>>>>> /Brad
>>>>>>
>>>>>>
>>>>>> On 13/05/14 19:52, Bo Norgaard wrote:
>>>>>>> Hi
>>>>>>>
>>>>>>> When Microsoft Word opens a file on the webdav server is uses BASIC
>>>>>>> authentication when I set it up with a direct connection to a tomcat
>>>>>>> web server. This works perfect and users are able to open, edit and
>>>>>>> save documents.
>>>>>>>
>>>>>>> When using a Microsoft IIS as web server as frontend to tomcat, it
>>>>>>> wants to use NEGOTIATE authentication.
>>>>>>>
>>>>>>> Have you implemented NEGOTIATE in a Authentication Handler, and know
>>>>>>> of any documentation or help that would make the implementation
>>>>>>> easier, then any help would be appreciated...
>>>>>>>
>>>>>>> Best regards
>>>>>>>
>>>>>>> Bo Norgaard  ( [hidden email] )
>>>>>>> CTO, Product Manager
>>>>>>>
>>>>>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45
>>>>>>> 7025 8031
>>>>>>> _______________________________________________
>>>>>>> Milton-users mailing list
>>>>>>> [hidden email]
>>>>>>> http:/
>>>
>>>
>>> --
>>> Best regards
>>>
>>> Bo Norgaard  ( [hidden email] )
>>> CTO, Product Manager
>>>
>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025
>>> 8031
>>>

_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate authentication scheme

Bo Norgaard
Hi

No, milton detects that the Auth scheme is negotiate, and I get the
user info from the original request.

I implement the AuthenticationHandler and handle it like this:

    public boolean supports(Resource r, Request request) {
        log.debug("METHOD supports...");
        Auth auth = request.getAuthorization();
        if (auth == null) {
            log.debug("Supports, hmmm no Authorize requested...");
            return false;
        }
        if (auth.getScheme() == Scheme.BASIC || auth.getScheme() ==
Scheme.NEGOTIATE) {
            log.debug("Supports requested scheme: " + auth.getScheme());
            return true;
        }
        return false;
    }

    public Object authenticate(Resource resource, Request request) {
        log.debug("METHOD authenticate");
        Auth auth = request.getAuthorization();
        if (auth!=null) {
            if (auth.getScheme() == Scheme.BASIC) {
                log.debug("BASIC Requested scheme: " + auth.getScheme());
                log.debug("BASIC Trying to authenticate with user '" +
auth.getUser() + "' and '" + auth.getPassword() + "'");
                Object o =
securityManager.authenticate(auth.getUser(), auth.getPassword());
                log.debug("BASIC result: " + o);
                return o;
            }
            if (auth.getScheme() == Scheme.NEGOTIATE) {
                log.debug("NEGOTIATE Requested scheme: " + auth.getScheme());
                HttpServletRequest httpServletRequest = MiltonServlet.request();
                log.debug("NEGOTIATE HTTP request remote user: " +
httpServletRequest.getRemoteUser());
                Object o =
securityManager.authenticate(httpServletRequest.getRemoteUser(),
null);
                log.debug("NEGOTIATE result: " + o);
                return o;
            }
        } else {
            log.error(" - no authorization class in the request!");
        }
        return null;
    }


The getRemoteUser() method return the domain name and user ID of the
authenticated user, I then lookup other information for this user in
AD (Name, email, groups etc).

Best regards

Bo Norgaard  ( [hidden email] )
CTO, Product Manager

Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025 8031


2014-05-19 12:58 GMT+02:00 Brad McEvoy <[hidden email]>:

>
> Hi Bo,
>
> Thanks for sharing. So in that setup do any credentials end up being passed
> to milton?
>
> /Brad
>
> On 19/05/14 22:52, Bo Norgaard wrote:
>>
>> Hi Ben
>>
>> Yes, I did try that, but it was not working.
>>
>> Most of our customer is using windows authentication anyway, to make
>> single sign on on our web app, so the best solution was to get the
>> negotiate scheme working.
>>
>> Now - finally I got it working, AD users get validated by IIS
>> automatically and can enter the web site, and edit documents in Word
>> and Excel without being prompted for credentials. Perfect, and much
>> better than the basic authentication solution (which is still working
>> if IIS is not used as front-end server).
>>
>> Best regards
>>
>> Bo Norgaard  ( [hidden email] )
>> CTO, Product Manager
>>
>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025
>> 8031
>>
>>
>> 2014-05-16 20:54 GMT+02:00 Ben Catherall <[hidden email]>:
>>>
>>> Hi Bo,
>>>
>>> Under IIS Sites -> Your site -> Authentication, have you disabled all
>>> authentication methods other than Anonymous?  I had to do this to get
>>> things
>>> working (slightly different issue, but worth checking if you haven't
>>> already).
>>>
>>> Thanks
>>>
>>> Ben
>>>
>>> Ben Catherall
>>>
>>>
>>> On 15 May 2014 21:19, Bo Norgaard <[hidden email]> wrote:
>>>>
>>>> Hi Ben
>>>>
>>>> Yes, Tomcat is running the application and listening on 8443, IIS is
>>>> running on port 443 and uses the standard Apache Tomcat redirector to
>>>> forward all requests to tomcat.
>>>>
>>>> /Bo
>>>>
>>>> Den torsdag den 15. maj 2014 skrev Ben Catherall
>>>> <[hidden email]>:
>>>>
>>>>> Hi Bo,
>>>>>
>>>>> When you say connect to IIS - is this IIS with Tomcat behind? Which
>>>>> connector are you using?
>>>>>
>>>>> Ben Catherall
>>>>>
>>>>>
>>>>> On 15 May 2014 15:31, Bo Norgaard <[hidden email]> wrote:
>>>>>
>>>>> Hi
>>>>>
>>>>> Yes I know, Word (from version 2008) will only allow you to edit
>>>>> documents if they are fetched over SSL.
>>>>>
>>>>> I have implemented an AuthenticationHandler and when I connect with
>>>>> SSL directly to tomcat I get:
>>>>>
>>>>> - a call to supports() with Auth scheme BASIC for which I return true
>>>>> - a call to authenticate() with the username and password and I return
>>>>> a UserInfo class on success
>>>>>
>>>>> the UserInfo is then used in call to methods in my
>>>>> FileResourceController, perfect.
>>>>>
>>>>>
>>>>> When I connect with SSL through IIS I get:
>>>>>
>>>>> - a call to supports() with Auth scheme NEGOTIATE for which I return
>>>>> true.
>>>>>
>>>>> and then the fileResourceController is called with no user information.
>>>>>
>>>>> In the supports() method I tried to authenticate the negotiated user
>>>>> with Active directory and it works perfectly, but I have no place to
>>>>> add or return the UserInfo for the negotiated user.
>>>>>
>>>>> How can I add the UserInfo class to milton httpHandler from the
>>>>> supports() method? Or can I configure it to call authenticate() in the
>>>>> AuthenticationHandler for the NEGOTIATE scheme, so I can return the
>>>>> UserInfo class?
>>>>>
>>>>> I am so close to success... ;-)
>>>>>
>>>>> Best regards
>>>>>
>>>>> Bo Norgaard  ( [hidden email] )
>>>>> CTO, Product Manager
>>>>>
>>>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45
>>>>> 7025 8031
>>>>>
>>>>>
>>>>> 2014-05-13 23:00 GMT+02:00 Brad McEvoy <[hidden email]>:
>>>>>>
>>>>>> thanks Ben :)
>>>>>>
>>>>>> On 13/05/14 21:17, Ben Catherall wrote:
>>>>>>
>>>>>> See here - http://support.microsoft.com/kb/2123563
>>>>>>
>>>>>> Word has Basic auth disabled unless you are using SSL.
>>>>>>
>>>>>> Hope that helps
>>>>>>
>>>>>> Ben Catherall
>>>>>>
>>>>>>
>>>>>> On 13 May 2014 08:55, Brad McEvoy <[hidden email]> wrote:
>>>>>>>
>>>>>>>
>>>>>>> Hi Bo,
>>>>>>>
>>>>>>> I'm not aware of any implementations of NEGOTIATE with milton. And
>>>>>>> part of
>>>>>>> the webdav discovery process is advertising what authentication
>>>>>>> mechanisms
>>>>>>> are supported, so clients should not be sending an authentication
>>>>>>> mechanism
>>>>>>> which is not supported.
>>>>>>>
>>>>>>> My guess is that IIS is sending something to the client indicating
>>>>>>> that
>>>>>>> NEGOTIATE is supported. Hopefully there is some way to suppress that
>>>>>>> (whatever it is)
>>>>>>>
>>>>>>> /Brad
>>>>>>>
>>>>>>>
>>>>>>> On 13/05/14 19:52, Bo Norgaard wrote:
>>>>>>>>
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> When Microsoft Word opens a file on the webdav server is uses BASIC
>>>>>>>> authentication when I set it up with a direct connection to a tomcat
>>>>>>>> web server. This works perfect and users are able to open, edit and
>>>>>>>> save documents.
>>>>>>>>
>>>>>>>> When using a Microsoft IIS as web server as frontend to tomcat, it
>>>>>>>> wants to use NEGOTIATE authentication.
>>>>>>>>
>>>>>>>> Have you implemented NEGOTIATE in a Authentication Handler, and know
>>>>>>>> of any documentation or help that would make the implementation
>>>>>>>> easier, then any help would be appreciated...
>>>>>>>>
>>>>>>>> Best regards
>>>>>>>>
>>>>>>>> Bo Norgaard  ( [hidden email] )
>>>>>>>> CTO, Product Manager
>>>>>>>>
>>>>>>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax:
>>>>>>>> +45
>>>>>>>> 7025 8031
>>>>>>>> _______________________________________________
>>>>>>>> Milton-users mailing list
>>>>>>>> [hidden email]
>>>>>>>> http:/
>>>>
>>>>
>>>>
>>>> --
>>>> Best regards
>>>>
>>>> Bo Norgaard  ( [hidden email] )
>>>> CTO, Product Manager
>>>>
>>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45
>>>> 7025
>>>> 8031
>>>>
>
_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate authentication scheme

bradmacnz

So if users were able to access tomcat directly, a hacker could craft a
request with NEGOTIATE and whatever userID they wanted, and get access.
Correct? So i assume you're locking down access so it can only be
accessed through IIS?

On 19/05/14 23:27, Bo Norgaard wrote:

> Hi
>
> No, milton detects that the Auth scheme is negotiate, and I get the
> user info from the original request.
>
> I implement the AuthenticationHandler and handle it like this:
>
>      public boolean supports(Resource r, Request request) {
>          log.debug("METHOD supports...");
>          Auth auth = request.getAuthorization();
>          if (auth == null) {
>              log.debug("Supports, hmmm no Authorize requested...");
>              return false;
>          }
>          if (auth.getScheme() == Scheme.BASIC || auth.getScheme() ==
> Scheme.NEGOTIATE) {
>              log.debug("Supports requested scheme: " + auth.getScheme());
>              return true;
>          }
>          return false;
>      }
>
>      public Object authenticate(Resource resource, Request request) {
>          log.debug("METHOD authenticate");
>          Auth auth = request.getAuthorization();
>          if (auth!=null) {
>              if (auth.getScheme() == Scheme.BASIC) {
>                  log.debug("BASIC Requested scheme: " + auth.getScheme());
>                  log.debug("BASIC Trying to authenticate with user '" +
> auth.getUser() + "' and '" + auth.getPassword() + "'");
>                  Object o =
> securityManager.authenticate(auth.getUser(), auth.getPassword());
>                  log.debug("BASIC result: " + o);
>                  return o;
>              }
>              if (auth.getScheme() == Scheme.NEGOTIATE) {
>                  log.debug("NEGOTIATE Requested scheme: " + auth.getScheme());
>                  HttpServletRequest httpServletRequest = MiltonServlet.request();
>                  log.debug("NEGOTIATE HTTP request remote user: " +
> httpServletRequest.getRemoteUser());
>                  Object o =
> securityManager.authenticate(httpServletRequest.getRemoteUser(),
> null);
>                  log.debug("NEGOTIATE result: " + o);
>                  return o;
>              }
>          } else {
>              log.error(" - no authorization class in the request!");
>          }
>          return null;
>      }
>
>
> The getRemoteUser() method return the domain name and user ID of the
> authenticated user, I then lookup other information for this user in
> AD (Name, email, groups etc).
>
> Best regards
>
> Bo Norgaard  ( [hidden email] )
> CTO, Product Manager
>
> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025 8031
>
>
> 2014-05-19 12:58 GMT+02:00 Brad McEvoy <[hidden email]>:
>> Hi Bo,
>>
>> Thanks for sharing. So in that setup do any credentials end up being passed
>> to milton?
>>
>> /Brad
>>
>> On 19/05/14 22:52, Bo Norgaard wrote:
>>> Hi Ben
>>>
>>> Yes, I did try that, but it was not working.
>>>
>>> Most of our customer is using windows authentication anyway, to make
>>> single sign on on our web app, so the best solution was to get the
>>> negotiate scheme working.
>>>
>>> Now - finally I got it working, AD users get validated by IIS
>>> automatically and can enter the web site, and edit documents in Word
>>> and Excel without being prompted for credentials. Perfect, and much
>>> better than the basic authentication solution (which is still working
>>> if IIS is not used as front-end server).
>>>
>>> Best regards
>>>
>>> Bo Norgaard  ( [hidden email] )
>>> CTO, Product Manager
>>>
>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025
>>> 8031
>>>
>>>
>>> 2014-05-16 20:54 GMT+02:00 Ben Catherall <[hidden email]>:
>>>> Hi Bo,
>>>>
>>>> Under IIS Sites -> Your site -> Authentication, have you disabled all
>>>> authentication methods other than Anonymous?  I had to do this to get
>>>> things
>>>> working (slightly different issue, but worth checking if you haven't
>>>> already).
>>>>
>>>> Thanks
>>>>
>>>> Ben
>>>>
>>>> Ben Catherall
>>>>
>>>>
>>>> On 15 May 2014 21:19, Bo Norgaard <[hidden email]> wrote:
>>>>> Hi Ben
>>>>>
>>>>> Yes, Tomcat is running the application and listening on 8443, IIS is
>>>>> running on port 443 and uses the standard Apache Tomcat redirector to
>>>>> forward all requests to tomcat.
>>>>>
>>>>> /Bo
>>>>>
>>>>> Den torsdag den 15. maj 2014 skrev Ben Catherall
>>>>> <[hidden email]>:
>>>>>
>>>>>> Hi Bo,
>>>>>>
>>>>>> When you say connect to IIS - is this IIS with Tomcat behind? Which
>>>>>> connector are you using?
>>>>>>
>>>>>> Ben Catherall
>>>>>>
>>>>>>
>>>>>> On 15 May 2014 15:31, Bo Norgaard <[hidden email]> wrote:
>>>>>>
>>>>>> Hi
>>>>>>
>>>>>> Yes I know, Word (from version 2008) will only allow you to edit
>>>>>> documents if they are fetched over SSL.
>>>>>>
>>>>>> I have implemented an AuthenticationHandler and when I connect with
>>>>>> SSL directly to tomcat I get:
>>>>>>
>>>>>> - a call to supports() with Auth scheme BASIC for which I return true
>>>>>> - a call to authenticate() with the username and password and I return
>>>>>> a UserInfo class on success
>>>>>>
>>>>>> the UserInfo is then used in call to methods in my
>>>>>> FileResourceController, perfect.
>>>>>>
>>>>>>
>>>>>> When I connect with SSL through IIS I get:
>>>>>>
>>>>>> - a call to supports() with Auth scheme NEGOTIATE for which I return
>>>>>> true.
>>>>>>
>>>>>> and then the fileResourceController is called with no user information.
>>>>>>
>>>>>> In the supports() method I tried to authenticate the negotiated user
>>>>>> with Active directory and it works perfectly, but I have no place to
>>>>>> add or return the UserInfo for the negotiated user.
>>>>>>
>>>>>> How can I add the UserInfo class to milton httpHandler from the
>>>>>> supports() method? Or can I configure it to call authenticate() in the
>>>>>> AuthenticationHandler for the NEGOTIATE scheme, so I can return the
>>>>>> UserInfo class?
>>>>>>
>>>>>> I am so close to success... ;-)
>>>>>>
>>>>>> Best regards
>>>>>>
>>>>>> Bo Norgaard  ( [hidden email] )
>>>>>> CTO, Product Manager
>>>>>>
>>>>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45
>>>>>> 7025 8031
>>>>>>
>>>>>>
>>>>>> 2014-05-13 23:00 GMT+02:00 Brad McEvoy <[hidden email]>:
>>>>>>> thanks Ben :)
>>>>>>>
>>>>>>> On 13/05/14 21:17, Ben Catherall wrote:
>>>>>>>
>>>>>>> See here - http://support.microsoft.com/kb/2123563
>>>>>>>
>>>>>>> Word has Basic auth disabled unless you are using SSL.
>>>>>>>
>>>>>>> Hope that helps
>>>>>>>
>>>>>>> Ben Catherall
>>>>>>>
>>>>>>>
>>>>>>> On 13 May 2014 08:55, Brad McEvoy <[hidden email]> wrote:
>>>>>>>>
>>>>>>>> Hi Bo,
>>>>>>>>
>>>>>>>> I'm not aware of any implementations of NEGOTIATE with milton. And
>>>>>>>> part of
>>>>>>>> the webdav discovery process is advertising what authentication
>>>>>>>> mechanisms
>>>>>>>> are supported, so clients should not be sending an authentication
>>>>>>>> mechanism
>>>>>>>> which is not supported.
>>>>>>>>
>>>>>>>> My guess is that IIS is sending something to the client indicating
>>>>>>>> that
>>>>>>>> NEGOTIATE is supported. Hopefully there is some way to suppress that
>>>>>>>> (whatever it is)
>>>>>>>>
>>>>>>>> /Brad
>>>>>>>>
>>>>>>>>
>>>>>>>> On 13/05/14 19:52, Bo Norgaard wrote:
>>>>>>>>> Hi
>>>>>>>>>
>>>>>>>>> When Microsoft Word opens a file on the webdav server is uses BASIC
>>>>>>>>> authentication when I set it up with a direct connection to a tomcat
>>>>>>>>> web server. This works perfect and users are able to open, edit and
>>>>>>>>> save documents.
>>>>>>>>>
>>>>>>>>> When using a Microsoft IIS as web server as frontend to tomcat, it
>>>>>>>>> wants to use NEGOTIATE authentication.
>>>>>>>>>
>>>>>>>>> Have you implemented NEGOTIATE in a Authentication Handler, and know
>>>>>>>>> of any documentation or help that would make the implementation
>>>>>>>>> easier, then any help would be appreciated...
>>>>>>>>>
>>>>>>>>> Best regards
>>>>>>>>>
>>>>>>>>> Bo Norgaard  ( [hidden email] )
>>>>>>>>> CTO, Product Manager
>>>>>>>>>
>>>>>>>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax:
>>>>>>>>> +45
>>>>>>>>> 7025 8031
>>>>>>>>> _______________________________________________
>>>>>>>>> Milton-users mailing list
>>>>>>>>> [hidden email]
>>>>>>>>> http:/
>>>>>
>>>>>
>>>>> --
>>>>> Best regards
>>>>>
>>>>> Bo Norgaard  ( [hidden email] )
>>>>> CTO, Product Manager
>>>>>
>>>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45
>>>>> 7025
>>>>> 8031
>>>>>

_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users
Reply | Threaded
Open this post in threaded view
|

Re: Negotiate authentication scheme

Bo Norgaard
Hi

The servers are per default locked down to allow IIS only.

The SecurityManager looks for a Kerberos ticket in the Authorization
header field, but I am not sure that this ticket is validated, so I
better disable negotiate scheme for direct access - just to be sure.
;-)

Best regards

Bo Norgaard  ( [hidden email] )
CTO, Product Manager

Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025 8031


2014-05-19 13:30 GMT+02:00 Brad McEvoy <[hidden email]>:

>
> So if users were able to access tomcat directly, a hacker could craft a
> request with NEGOTIATE and whatever userID they wanted, and get access.
> Correct? So i assume you're locking down access so it can only be accessed
> through IIS?
>
> On 19/05/14 23:27, Bo Norgaard wrote:
>>
>> Hi
>>
>> No, milton detects that the Auth scheme is negotiate, and I get the
>> user info from the original request.
>>
>> I implement the AuthenticationHandler and handle it like this:
>>
>>      public boolean supports(Resource r, Request request) {
>>          log.debug("METHOD supports...");
>>          Auth auth = request.getAuthorization();
>>          if (auth == null) {
>>              log.debug("Supports, hmmm no Authorize requested...");
>>              return false;
>>          }
>>          if (auth.getScheme() == Scheme.BASIC || auth.getScheme() ==
>> Scheme.NEGOTIATE) {
>>              log.debug("Supports requested scheme: " + auth.getScheme());
>>              return true;
>>          }
>>          return false;
>>      }
>>
>>      public Object authenticate(Resource resource, Request request) {
>>          log.debug("METHOD authenticate");
>>          Auth auth = request.getAuthorization();
>>          if (auth!=null) {
>>              if (auth.getScheme() == Scheme.BASIC) {
>>                  log.debug("BASIC Requested scheme: " + auth.getScheme());
>>                  log.debug("BASIC Trying to authenticate with user '" +
>> auth.getUser() + "' and '" + auth.getPassword() + "'");
>>                  Object o =
>> securityManager.authenticate(auth.getUser(), auth.getPassword());
>>                  log.debug("BASIC result: " + o);
>>                  return o;
>>              }
>>              if (auth.getScheme() == Scheme.NEGOTIATE) {
>>                  log.debug("NEGOTIATE Requested scheme: " +
>> auth.getScheme());
>>                  HttpServletRequest httpServletRequest =
>> MiltonServlet.request();
>>                  log.debug("NEGOTIATE HTTP request remote user: " +
>> httpServletRequest.getRemoteUser());
>>                  Object o =
>> securityManager.authenticate(httpServletRequest.getRemoteUser(),
>> null);
>>                  log.debug("NEGOTIATE result: " + o);
>>                  return o;
>>              }
>>          } else {
>>              log.error(" - no authorization class in the request!");
>>          }
>>          return null;
>>      }
>>
>>
>> The getRemoteUser() method return the domain name and user ID of the
>> authenticated user, I then lookup other information for this user in
>> AD (Name, email, groups etc).
>>
>> Best regards
>>
>> Bo Norgaard  ( [hidden email] )
>> CTO, Product Manager
>>
>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45 7025
>> 8031
>>
>>
>> 2014-05-19 12:58 GMT+02:00 Brad McEvoy <[hidden email]>:
>>>
>>> Hi Bo,
>>>
>>> Thanks for sharing. So in that setup do any credentials end up being
>>> passed
>>> to milton?
>>>
>>> /Brad
>>>
>>> On 19/05/14 22:52, Bo Norgaard wrote:
>>>>
>>>> Hi Ben
>>>>
>>>> Yes, I did try that, but it was not working.
>>>>
>>>> Most of our customer is using windows authentication anyway, to make
>>>> single sign on on our web app, so the best solution was to get the
>>>> negotiate scheme working.
>>>>
>>>> Now - finally I got it working, AD users get validated by IIS
>>>> automatically and can enter the web site, and edit documents in Word
>>>> and Excel without being prompted for credentials. Perfect, and much
>>>> better than the basic authentication solution (which is still working
>>>> if IIS is not used as front-end server).
>>>>
>>>> Best regards
>>>>
>>>> Bo Norgaard  ( [hidden email] )
>>>> CTO, Product Manager
>>>>
>>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45
>>>> 7025
>>>> 8031
>>>>
>>>>
>>>> 2014-05-16 20:54 GMT+02:00 Ben Catherall <[hidden email]>:
>>>>>
>>>>> Hi Bo,
>>>>>
>>>>> Under IIS Sites -> Your site -> Authentication, have you disabled all
>>>>> authentication methods other than Anonymous?  I had to do this to get
>>>>> things
>>>>> working (slightly different issue, but worth checking if you haven't
>>>>> already).
>>>>>
>>>>> Thanks
>>>>>
>>>>> Ben
>>>>>
>>>>> Ben Catherall
>>>>>
>>>>>
>>>>> On 15 May 2014 21:19, Bo Norgaard <[hidden email]> wrote:
>>>>>>
>>>>>> Hi Ben
>>>>>>
>>>>>> Yes, Tomcat is running the application and listening on 8443, IIS is
>>>>>> running on port 443 and uses the standard Apache Tomcat redirector to
>>>>>> forward all requests to tomcat.
>>>>>>
>>>>>> /Bo
>>>>>>
>>>>>> Den torsdag den 15. maj 2014 skrev Ben Catherall
>>>>>> <[hidden email]>:
>>>>>>
>>>>>>> Hi Bo,
>>>>>>>
>>>>>>> When you say connect to IIS - is this IIS with Tomcat behind? Which
>>>>>>> connector are you using?
>>>>>>>
>>>>>>> Ben Catherall
>>>>>>>
>>>>>>>
>>>>>>> On 15 May 2014 15:31, Bo Norgaard <[hidden email]> wrote:
>>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> Yes I know, Word (from version 2008) will only allow you to edit
>>>>>>> documents if they are fetched over SSL.
>>>>>>>
>>>>>>> I have implemented an AuthenticationHandler and when I connect with
>>>>>>> SSL directly to tomcat I get:
>>>>>>>
>>>>>>> - a call to supports() with Auth scheme BASIC for which I return true
>>>>>>> - a call to authenticate() with the username and password and I
>>>>>>> return
>>>>>>> a UserInfo class on success
>>>>>>>
>>>>>>> the UserInfo is then used in call to methods in my
>>>>>>> FileResourceController, perfect.
>>>>>>>
>>>>>>>
>>>>>>> When I connect with SSL through IIS I get:
>>>>>>>
>>>>>>> - a call to supports() with Auth scheme NEGOTIATE for which I return
>>>>>>> true.
>>>>>>>
>>>>>>> and then the fileResourceController is called with no user
>>>>>>> information.
>>>>>>>
>>>>>>> In the supports() method I tried to authenticate the negotiated user
>>>>>>> with Active directory and it works perfectly, but I have no place to
>>>>>>> add or return the UserInfo for the negotiated user.
>>>>>>>
>>>>>>> How can I add the UserInfo class to milton httpHandler from the
>>>>>>> supports() method? Or can I configure it to call authenticate() in
>>>>>>> the
>>>>>>> AuthenticationHandler for the NEGOTIATE scheme, so I can return the
>>>>>>> UserInfo class?
>>>>>>>
>>>>>>> I am so close to success... ;-)
>>>>>>>
>>>>>>> Best regards
>>>>>>>
>>>>>>> Bo Norgaard  ( [hidden email] )
>>>>>>> CTO, Product Manager
>>>>>>>
>>>>>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45
>>>>>>> 7025 8031
>>>>>>>
>>>>>>>
>>>>>>> 2014-05-13 23:00 GMT+02:00 Brad McEvoy <[hidden email]>:
>>>>>>>>
>>>>>>>> thanks Ben :)
>>>>>>>>
>>>>>>>> On 13/05/14 21:17, Ben Catherall wrote:
>>>>>>>>
>>>>>>>> See here - http://support.microsoft.com/kb/2123563
>>>>>>>>
>>>>>>>> Word has Basic auth disabled unless you are using SSL.
>>>>>>>>
>>>>>>>> Hope that helps
>>>>>>>>
>>>>>>>> Ben Catherall
>>>>>>>>
>>>>>>>>
>>>>>>>> On 13 May 2014 08:55, Brad McEvoy <[hidden email]> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi Bo,
>>>>>>>>>
>>>>>>>>> I'm not aware of any implementations of NEGOTIATE with milton. And
>>>>>>>>> part of
>>>>>>>>> the webdav discovery process is advertising what authentication
>>>>>>>>> mechanisms
>>>>>>>>> are supported, so clients should not be sending an authentication
>>>>>>>>> mechanism
>>>>>>>>> which is not supported.
>>>>>>>>>
>>>>>>>>> My guess is that IIS is sending something to the client indicating
>>>>>>>>> that
>>>>>>>>> NEGOTIATE is supported. Hopefully there is some way to suppress
>>>>>>>>> that
>>>>>>>>> (whatever it is)
>>>>>>>>>
>>>>>>>>> /Brad
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 13/05/14 19:52, Bo Norgaard wrote:
>>>>>>>>>>
>>>>>>>>>> Hi
>>>>>>>>>>
>>>>>>>>>> When Microsoft Word opens a file on the webdav server is uses
>>>>>>>>>> BASIC
>>>>>>>>>> authentication when I set it up with a direct connection to a
>>>>>>>>>> tomcat
>>>>>>>>>> web server. This works perfect and users are able to open, edit
>>>>>>>>>> and
>>>>>>>>>> save documents.
>>>>>>>>>>
>>>>>>>>>> When using a Microsoft IIS as web server as frontend to tomcat, it
>>>>>>>>>> wants to use NEGOTIATE authentication.
>>>>>>>>>>
>>>>>>>>>> Have you implemented NEGOTIATE in a Authentication Handler, and
>>>>>>>>>> know
>>>>>>>>>> of any documentation or help that would make the implementation
>>>>>>>>>> easier, then any help would be appreciated...
>>>>>>>>>>
>>>>>>>>>> Best regards
>>>>>>>>>>
>>>>>>>>>> Bo Norgaard  ( [hidden email] )
>>>>>>>>>> CTO, Product Manager
>>>>>>>>>>
>>>>>>>>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax:
>>>>>>>>>> +45
>>>>>>>>>> 7025 8031
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Milton-users mailing list
>>>>>>>>>> [hidden email]
>>>>>>>>>> http:/
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Best regards
>>>>>>
>>>>>> Bo Norgaard  ( [hidden email] )
>>>>>> CTO, Product Manager
>>>>>>
>>>>>> Neupart A/S    www.neupart.com     Phone: +45 7025 8030      Fax: +45
>>>>>> 7025
>>>>>> 8031
>>>>>>
>
_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users