WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL
72
© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED.
PAGE 72
·
DirectControl SPNEGO module. This module allows Microsoft Internet Explorer to
silently and securely pass the client user identity to a Web application hosted on an
Apache Web server that runs on a UNIX computer. Simple and Protected GSS-API
Negotiation Mechanism (shortened to SPNEGO; GSS-API stands for Generic
Security Services Application Programming Interface) is an HTTP authentication
mechanism that is used by Microsoft Internet Explorer and by the Microsoft Internet
Information Services (IIS) Web server for Kerberos-based user authentication. GSS-
API libraries are also included with DirectControl. According to the GSS-API entry in
the
Internet FAQ Archives
at
http://www.faqs.org/faqs/kerberos-
faq/general/index.html
:
"The GSSAPI is a generic API for doing client-server authentication. The motivation
behind it is that every security system has its own API, and the effort involved with
adding different security systems to applications is extremely difficult with the
variance between security APIs. However, with a common API, application vendors
could write to the generic API and it could work with any number of security systems.
How does this relate to Kerberos? Included with most major Kerberos 5 distributions
is a GSSAPI implementation. Thus, if a particular application or protocol says that it
supports the GSSAPI, that means that it supports Kerberos, by virtue of Kerberos
including a GSSAPI implementation."
·
DirectControl Java/J2EE modules. These modules provide the ability to
authenticate and perform access control for Java/J2EE applications. For example,
the Java Authentication and Authorization Service (JAAS) module is a general
purpose module for logging on a user in the Java world. This is very similar to a PAM
module; in fact, the JAAS authentication scheme is modeled on PAM. The JAAS
module can operate in one of two modes:
·
Silent. In Silent mode, the user is not prompted for a user name or password.
Instead, the module queries the underlying operating system to determine who
this user is and, if the user is found, the module sets up the user's credentials for
later use.
·
Prompted. In Prompted mode, the JAAS module asks the application to prompt
the user for a user name and password. When the user responds, the module
then validates this data and stores the user's credentials for later use.
·
DirectControl Tomcat module. The Open Source J2EE server, Tomcat provides
two main interfaces for controlling security: realms and authenticators. The realm
specifies the mechanism for looking up user credentials in a database, and
authenticators perform authentication by using a specific mechanism or protocol.
Centrify DirectControl for Tomcat provides a JAAS realm that allows different
authenticators, such as BASIC authentication and FORM authentication, to verify a
user's name and password combination against Active Directory.
In addition to supporting the Centrify DirectControl JAAS realm, Centrify
DirectControl for Tomcat provides an SPNEGO authenticator that allows transparent
authentication that uses Kerberos tickets when users access the application through
Internet Explorer. Installing Centrify Direct Control for Tomcat makes it easy for the
application developer or IT administrator to map Tomcat roles to Active Directory
groups to provide additional control over which users can access the application or
perform certain tasks. Tomcat applications can use DirectControl to automatically
map Active Directory groups to Tomcat role names. To use the SPNEGO
authenticator for transparent authentication when users access the application with
Internet Explorer, you need to modify the authentication method defined in the
application's web.xml file. For example, instead of using FORM or BASIC
authentication, you can specify SPNEGO authentication.
The Centrify DirectControl Evaluation Guide provides instructions for setting up an
evaluation environment to demonstrate Active Directory authentication and
authorization with the Tomcat Web server