How to configure Kerberos SSO

Overview

Because configuration elements have changed between JBoss 5.1 and Wildlfy 8, the AJP connector option “tomcatAuthentication” have been removed. In Process 16. The KerberosAutoLogin feature has an issue.

Configuration

Tip

If moovapps version is 16.4 or later these operations are automated with Process Configurator.
If Process version is older than 16.4, in order to have this feature you should follow these steps :

  1. To limit security issues you must change listening address. In the configurator change the listening adress from default 0.0.0.0 to 127.0.0.1 or the ip address of your IIS server if it is not on the same server.

  2. In $VDOC_HOME/configurator/vdoc.ear/vdoc.war/WEB-INF/web.xml add auth-method after “context-param”

    <web-app ... >
       <context-param>
          ...
       <context-param>
       <login-config>
          <auth-method>EXTERNAL</auth-method>
       </login-config>
       ...
    </web-app>   

    This will enable the external authentication mechanism. The Undertow documentation says :

    WARNING: This method performs no verification. It must only be used if there is no way for an end user to modify the principal, for example if Undertow is behind a front end server that is responsible for authentication.

    It’s for this reason we must configure bind address to only listen IIS server.

  3. In $VDOC_HOME/configurator/vdoc.ear/vdoc.war/WEB-INF/jboss-web.xml set the security-domain

    <jboss-web>
       <security-domain>KRB-CLIENT</security-domain>
       ...   
    </jboss-web>
  4. In $VDOC_HOME/wildfly/standalone/configuration/standalone-custom.xml add the KRB-CLIENT security domain.

    <server ... >
       <profile>
          <subsystem xmlns="urn:jboss:domain:security:2.0">
             <security-domains>
                <security-domain name="KRB-CLIENT">
                   <authentication>
                      <login-module code="Client" flag="sufficient" name="Client"/>
                   </authentication>
                </security-domain>
             </security-domains>
          </subsystem>
       </profile>
    </server>

    This will read the external authentication mechanism result and setup the servlet authentication to the remote user.

After completing these steps, restart your Process server. The KerberosAutoLoginModule will do the same check as in Process 15.