Tag Archives: opensso

Kerberos & load-balanced OpenSSO – GSS Channel binding exceptions

Recently I’ve been working with a client to build a federated SSO system. One of the requirements was for internal employees to have seamless access using Windows’ Kerberos. This isn’t anything novel, and is something I’ve worked on for a number of organisations – though not for a while.¬†However we came unstuck, with multiple OpenSSO servers behind a load balancer and SSL termination there rather than the servers themselves. It seems that Microsoft have done something entirely reasonable and enhanced the security of their Kerberos implementation, enabling ‘channel binding‘, wherein the requests are bound both to the Service Principal Name of the server requested by the client, and also to the SSL transport.

This breaks when a request arrives through a load balancer, since the underlying hostname doesn’t match that of the client browser request (the load balancer DNS name), and thus the AD domain controller rejects the token. Microsoft made the change enabling this ability in August 2009, in Security Advisory 973811 and then progressively enabled this for clients and servers of theirs, including Internet Explorer.

When channel binding isn’t requested by a server (in this case the OpenSSO servers), in theory it can be ignored, but currently available versions of Java don’t ignore it, instead passing it on to the AD domain controller, the result of which is a GSS Exception in the OpenSSO logs when using Internet Explorer on the client workstation. Firefox isn’t affected as it doesn’t request channel binding.

There are various workarounds which might be applicable to your situation:

If you’re looking to upgrade Java, this fix is available in release candidates of Java 7. It may be available in Java 6u19, but not in the currently release Java 6u18 or prior, unless you’re paying for Java for Business – the fix is in 6u17-rev-b06.

Hopefully this post might prove useful to someone – it took us some time to find the cause of the problem, and the resolution.

Sun IdM & Virtual Desktop demo

WordPress taunts me every time I log in with the draft of a post I’ve been meaning to complete for quite some time that explains the general concepts around Identity Management, provisioning, role mining and so on. It’s intended to be a precursor to further more in-depth posts on various aspects of the topic. I never seem to manage enough time to finish it, so until then, a video!

At work we’re almost done with our first deployment of Sun Identity Manager. Personally, I’ve found it a good product to work with. I like Sun’s approach to deployment – the base system deploys as a Java WAR file that installs into Tomcat, Glassfish, etc, and it’s pretty easy to connect it to your first set of resources for provisioning. The workflow and forms design are a bit more of a challenge, using an XML-based functional language, XPRESS, and that takes a bit of getting used to, but is amazingly customisable.

Some while ago I was invited to a Sun technical day, at which I saw a demo of some SunRay thin-client appliances that link to the Sun Secure Global Desktop (SGD) product. If you’re familiar with Windows Remote Desktop, it works like this from a user’s point of view, except a bit more powerful. Stick your smartcard in the SunRay and connect to your desktop (Windows, Linux, whatever) running on a VM in a data centre. Go home from work, visit a web-based version and fire up the same desktop.

A couple of guys at Sun have put together a demo of how SGD, OpenSSO and Identity Manager can work together, dynamically creating whole new instances of desktops at a user’s request and giving the appropriate access, then killing it all off again when HR deactivate your account.

I think it’s a pretty cool explanation of how these sort of systems can hang together – for many organisations this could represent a huge saving in user administration, desktop provisioning, and even hardware.

Read about it here, or skip straight to the demo video (12 mins or so, with a great soundtrack!)