Identify web app user with using windows domain name - security

I have a GWT webapp running on tomcat 7 on RedHat. All clients reside within intranet and use IE7 from XP machines to access the webapp.
The new requirement is to setup per user log. If user claims he did something wrong because of webapp, the admin should be able to check webapp responses for that request. Another requirement(a very nice to have feature) is to avoid login/password screen and use domain username instead.
I think I can ask my admin to setup Integrated Windows Authentication for Tomcat http://www.tomcatexpert.com/blog/2011/06/22/windows-authentication-apache-tomcat. Once IWA is implemented on Tomcat I expect I will be able to access username with HTTPServletRequest.getRemoteUser() from my webapp.
Am I right in my assumption?
Is there a simpler way than that?

The integration of a Java container such as Tomcat with a Windows Domain through IWA, SPNEGO, Kerberos etc. can be a very complicated task and the Tomcat instructions that you point to may or may not work the first time and may also require changes to the way your Windows environment is configured.
Once that integration is working, your web application will need to specify auth constraints in web.xml to protect part or whole of the webapp. Although it may not prompt for user id if the Windows authentication set up is working seamlessly, it is necessary for the configuration to be there before getRemoteUser will return anything inside your application.

Related

NLB IIS Integrated security asks for credentials?

I have a 2 node NLB running IIS. Servers are identical in every respect. When on the server I can browse to the local Windows Integrated Security site without any problems using the local member name. But when I switch to it's cluster name, it prompts me for credentials.
<- Renders just fine
<- Renders just fine
<- Prompts for credentials
Certificates aren't the issue. Non WI-Security sites work just fine.
Seems like it doesn't want to pass credentials across the cluster name (and most likely right back into the same server I am on. I did try a couple of affinity settings with no change).
Thanks all for any ideas.
Nick
This has to do with the way Kerberos delegation works with Windows Integrated security.
In short, here's what you'll need to do:
Set the identify of the application pool running your website to a domain user, on all IIS servers participating in the NLB cluster
Ensure this domain account is in the IIS_USRS group on each web server
Create an SPN entry for your NLB cluster DNS name, and the domain user. For example:
setspn -S HTTP/ domain\accountname
Following this, you should be able to access your site without additional prompt for credentials.
A more detailed explanation is available here: https://blogs.msdn.microsoft.com/rakkimk/2006/12/08/enabling-kerberos-delegation-on-a-nlb-scenario/

Git connected to Active Directory

Objective:
Setup Git repository on Oracle Linux 6. Users connecting from Windows, Mac and Linux, using AD credentials. I would like to limit access base on AD groups. I have been searching for a way to set this up. I have seen several options that allow for fine grained access control of the repository but I haven't found anything that can use AD groups to manage access.
So the question is: Is this even possible? Can someone point me in the direction of documentation that would explain the process?
Update:
There now appear to be more options:
GitLab supports LDAP authentication
Gogs supports LDAP too
Update:
GitBlit, "an open-source, pure Java stack for managing, viewing, and serving Git repositories", supports LDAP authentication out of the box:
LDAP can be used to authenticate Users and optionally control Team memberships. When properly configured, Gitblit will delegate authentication to your LDAP server and will cache some user information in the usual users.conf file.
GitBlit also lists support for Windows authentication, but only when installed on Windows, and only tested against local accounts.
Previous answer:
If you move your Git server to Bonobo Git Server on Windows you can use Windows authentication:
Windows Authentication
This authentication is very useful when your git server sits inside the company network and your accounts and logging information could be managed via IIS. The advantage of this approach is that your users won’t have to create another account for logging to Bonobo Git Server. They will use the existing Windows account they use on the network.
Doing this from Linux is possible, but unlikely to be easy. You'll probably have to set PAM up to use either LDAP or Kerberos authentication and then do quite a lot of configuration. If you've got Windows licences I strongly recommend checking out Bonobo.

How to access a shared network drive in node.js

In IIS, I have a web service which runs under an application pool which has the identity of a user that has access to a drive on a remote machine. In this way, when the web service runs and it tries access the remote machine to read a file, we do not get any invalid authorization errors.
I have now written my first Node.js app but I am not sure how to allow access to a file stream from the app to the remote machine. I have the unc path name to the remote machine's file I want to read but I am not sure if I have to pass in the credentials of the user to access the file or I have to run the Node.js app under certain credentials.
Any clues?
I know there is node for IIS, but is there another way of doing this without IIS.
Update:
Just ran my app under my user account and this account is configured to allow access to a remote machine and I have access to the remote machine without changing my code (in other words just using the Unc path directly). However, how can I do this using another user's credentials (i.e. impersonation in Node.js?)
Node does not handle impersonation like .NET applications do, since NodeJS is not Windows specific, so it does not know about the windows way of handling rights and elevation.
But that is not a problem. I have used the following technique on large financial networks.
As you pointed out yourself, the best solution is to have a dedicated user account for your nodeJS application with sufficient rights to access the UNC, but with no other rights. Then when you run the application, run it as this user.
Let me suggest that your setup a service to run the nodejs application and in the service specify the user account. This makes it much easier and safer. If you application is ever hacked, the hacker will not be able to escape the restrictions of the account.

How to configure IIS-5 (on windows xp) to behave similar to AppPool in win servers & windows 7. (Integrated Security=true)

I use windows xp and IIS 5 for web development. For database connection the credentials are set up as Integrated Security. It works fine our our DEV server (IIS 6) where they have configured the App Pool to run under the context of a domain account which has dbo access on the database. I myself also have dbo access in the database.
But when I run from my localhost the database connection failed (under Integrated Security=true) saying user '' has no previleged. So its passing a blank string as user instead of my logged in domain accountj ("domainname\myname"). How do I configure my localhost IIS so that it passed my logged in domain account as a user to the sql server? Basically I'm trying to silumate the apppool on IIS-5in my local machine.
I tried changing the "Log on as" on World wide web services & IIS Admin on my local machine services console, restarted it and did an IISRESET. Nothing seems to fix the problem.
Also I tried putting my domain user name (domainname\username) and password in the connection string by removing integreated security=true. Still that also not works
I am an administrator on my local machine. I tried different things like making aspnet user an administrator,log as as service etc etc with no luck
Please advice me how to configure IIS5 to run under a different account. thanks in advance
You need to set the user for anonymous login to be the domain account. I forget what tab it is on but it is there somewhere.
I think this link will point you in the correct direction
http://support.microsoft.com/kb/310344
Use IIS Express -- it is IIS7 for XP.

Why are my executables being run as a domain user in IIS 6?

I'm having problems with IIS in DEV vs QA. One thing I notices by watching task manager is that when a .exe runs on DEV it is running as the user instead of my generic iis user. Is this normal for IIS with integrated authentication or is there some other setting I need to look into?
With integrated authentication, processes are launched as the logged in user. When anonymous integration is enabled the process are launched as the iis user. It is also possible to enable both at the same time.

Resources