vsadda
commented
9 years ago It is already implemented and will be made available as part of the next code merge into GitHub.
Open matthewgardner opened 9 years ago
vsadda
commented
9 years ago It is already implemented and will be made available as part of the next code merge into GitHub.
vsadda
commented
9 years ago I have to clarify that, there are certain authentication scenarios that can't be intercepted/customized. Examples are: NTLM, Kerberos, Negotiate (SPNEGO). Fortunately, there is built-in support for that. However, there is an un-resolved bug related Kerberos and Negotiate where delegation (forwardable tickets) does not work. There is nothing we can do about that than wait for CEF guys to fix it.
serkanmulayim
commented
9 years ago Hi guys,
I would like to give a quick update about this issue, which you probably are aware of though.
We tested wrapper with ADFS 3.0, and with Deutsche Bank which uses custom implementation on top of Shibboleth. These seem to be working fine with Kerberos. On the other hand it does not work for Citibank which has a custom solution as well.
Moreover Matt Gardner added the logic for the pop-up windows for authentication via NTLM (and other basic auth), they work fine too.
Would it be possible to test it in GS side (if you have not already tested) and verify that Kerberos auth works? I know that GS has ADFS 2.0, and this test would be important for us.
And Venuguppal, would it be possible for you to elaborate on "However, there is an un-resolved bug related Kerberos and Negotiate where delegation (forwardable tickets) does not work.". I believe you are refering to the case where a new SPN is setup in the DC for Kerberos and a 3rd party Federation server is being used for Kerb. auth, can you please verify?
Thanks a bunch, Serkan
vsadda
commented
9 years ago A forwardable ticket is a ticket that one server can use to get tickets for other servers on behalf of the user (known as delegation). These tickets are needed when there are multiple servers involved in the same request. For example you run into this situation, if you make a request to an IIS Web Server and it then has to execute a SQL query against a SQL server database running on a different server.
Chromium automatically generates forwardable tickets to a set of servers you define through a command line argument. However, CEF does not send that command line argument to Chromium properly. This is a known issue and the CEF guy (Marshall Greenblat) has been sitting on a patch to fix the problem, because he doesn't like the code formatting or something. He is the nit-picker-in-chief and there is nothing anybody can do about it.
Build a way to provide an external (per company/organisation) User Authentication plugin that can be packaged along with Paragon. Allowing companies/organisations to natively authenticate.