Windows Desktop SSO Node
A Windows Desktop SSO authentication node for ForgeRock's Identity Platform 6.5.2 and above. The Windows Desktop SSO node uses Kerberos authentication. The user presents a Kerberos token to AM through the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol. The Windows Desktop SSO authentication node enables desktop single sign on such that a user who has already authenticated with a Kerberos Key Distribution Center can authenticate to AM without having to provide the login information again. Users might need to set up Integrated Windows Authentication in Internet Explorer or Microsoft Edge to benefit from single sign on when logged on to a Windows desktop.
Usage
To deploy this node, download the jar from the releases tab on github here. Next, copy the jar into the ../web-container/webapps/openam/WEB-INF/lib directory where AM is deployed. Restart the web container to pick up the new node. The node will then appear in the authentication trees components palette.
Generate Service Account KeyTab File
To generate a valid Kerberos keytab file for the service account, use the following ktpass command:
ktpass -out fileName.keytab -princ HTTP/openam.forgerock.com@AD_DOMAIN.COM -pass +rdnPass -maxPass 256 -mapuser amKerberos@frdpcloud.com -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -kvno 0Windows Desktop SSO Node Configuration
- Service Principal - The name of the Kerberos principal used during authentication. The format of the field is
as follows:
HTTP/openam.forgerock.com@AD_DOMAIN.COM. Note that the hostname should be used for the service principal name. In this example, the hostname isopenam.forgerock.com - Key Tab File Path - The absolute pathname of the AD keytab file.
- Kerberos Realm - The name of the Kerberos (Active Directory) realm used for authentication. Note, the realm must be in all caps.
- Kerberos Server Name - The hostname/IP address of the Kerberos (Active Directory) server.
- Trusted Kerberos realms - List of Trusted Kerberos Realms for User Kerberos tickets. Note, the realms must be in all caps.
- Return Principal with Domain Name - Returns the fully qualified name of the authenticated user rather than just the username.
- Lookup User In Realm - Validate that the user has a matched user profile configured in the data store.
- Is Initiator - True, if initiator. False, if acceptor only. Default is True.
Example Flow
This flow will attempt to authenticate the user via Windows Desktop SSO. If unsuccessful, AM will request the username and password for login.
Common Errors
- Kerberos relies on DNS for entity resolution. All records for servers involved in the flow must be A records, not
CNAME records.
- You may see the below errors in the AM log files:
ERROR: Exception thrown trying to authenticate the user GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
- You may see the below errors in the AM log files:
One potential fix to this issue is to regenerate the AM service keytab file without the -crypto AES256-SHA1. The keytab command would then be:
ktpass -out fileName.keytab -princ HTTP/openam.forgerock.com@AD_DOMAIN.COM -pass +rdnPass -maxPass 256 -mapuser amKerberos@frdpcloud.com -ptype KRB5_NT_PRINCIPAL -kvno 0