Cached Credentials
Cell Technology
Compliance - HIPAA
Compliance - PCI
Compliance - Reporting
Cross-Forest Trusts
Group Policy
Gnome Group Policy
Kerberos Authentication
Likewise Administrative Console
Likewise Identity Service
Likewise Enterprise Screenshots
Linux Active Directory Integration
Single Sign-On for Apache Web Server
Single Sign-On for Databases
Single Sign-On with PuTTY
Single Sign-On for Web Applications
Single Sign-On for ERP & Storage Applications
Workgroup Manager Overview
Workgroup Manager Policies
Likewise software joins Linux, Unix, and Mac OS X computers to Microsoft Active Directory and then automatically manages Kerberos tickets to grant users and groups cross-platform single sign-on to other systems and applications.
Here's how it works: When you log on a Linux, Unix, or Mac OS X computer by using your Active Directory domain credentials, Likewise initializes and maintains a Kerberos ticket granting ticket (TGT). The TGT lets you log on other computers joined to Active Directory or applications provisioned with a Service Principal Name and be automatically authenticated with Kerberos and authorized for access through Active Directory. In a transparent process, the underlying Generic Security Services (GSS) system requests a Kerberos service ticket for the Kerberos-enabled application or server. The result: cross-platform single sign-on.
To gain access to another computer, you can use various protocols and applications, such as the following:
- SSH
- rlogin
- rsh
- Telnet
- FTP
- Firefox (for browsing of intranet sites)
- LDAP queries against Active Directory
- HTTP with an Apache HTTP Server
How Likewise Makes SSO Happen
Since Microsoft Windows 2000 was released, Active Directory's primary authentication protocol has been Kerberos. When a user logs on a Windows computer that is joined to a domain, the operating system uses the Kerberos protocol to establish a key and to request a ticket for the user. Active Directory serves as the Kerberos key distribution center, or KDC.
Likewise configures Linux and Unix computers to interact with Active Directory in a similar way. When a user logs on a Linux and Unix computer joined to a domain, Likewise requests a ticket for the user. The ticket can then be used to implement SSO with other applications.
Likewise fosters the use of the highly secure Kerberos 5 protocol by automating its configuration and use on Linux and Unix computers. To ensure that the Kerberos authentication infrastructure is properly configured, Likewise does the following:
- Ensures that DNS is properly configured to resolve names associated with Active Directory (AD).
- Provides tools to join Linux, Unix, and Mac OS X computers to AD.
- Performs secure, dynamic DNS updates to ensure that Linux and Unix computer names can be resolved with AD-integrated DNS servers.
- Configures Kerberos. In an environment with multiple KDCs, Likewise makes sure that Kerberos selects the appropriate server.
- Configures SSHD to support SSO through Kerberos (by using GSSAPI).
- Creates a keytab for the computer in the following way: When you join a Linux or Unix computer to AD, Likewise creates a machine account for the computer. Likewise then automatically creates a keytab for the SPN and places it in the standard system location (typically /etc/krb5.keytab).
- Creates a keytab for the user during logon. On most systems, the user keytab is placed in the /tmp directory and named krb5cc_UID, where UID is the numeric user ID assigned by the system.
Likewise also includes several Kerberos libraries for managing single sign-on:
Overview of How to Implement SSO with Likewise
When you install Likewise on a Linux, Unix, or Mac OS X computer and join it to Active Directory, Likewise prepares it for single sign-on by creating a keytab for the computer. However, when you use Likewise to implement SSO with other applications or services, such as SAP or Oracle, you will likely have to configure the application to use Kerberos authentication and you will likely have to provision each application user for external Kerberos authentication. At the very least, however, you will have to provision your application with a Service Principal Name in Active Directory. For more information about setting up an application such as SAP or Oracle for SSO with Kerberos, see the manual for your application.
The following process outlines the steps for setting up an application or service -- here, Apache Tomcat -- to use Likewise for single sign-on.
1. Create a service account for Tomcat in Active Directory.
2. Associate a Service Principal Name, or SPN, with the service account in Active Directory.
3. Create a keytab for the SPN.
4. Place the keytab in the appropriate location on the Linux or Unix computer.
5. Add the Likewise Java authentication module (a valve class) to Tomcat.
6. Configure the authentication module to get its Kerberos key from the generated keytab.
7. Configure the authentication module to determine Java roles by examining Active Directory group membership.
8. Configure an application to restrict access to Active Directory authenticated users in certain roles.
9. Test Tomcat SSO by accessing restricted web sites from a Windows client running Microsoft Internet Explorer or Mozilla Firefox. Repeat this step on Linux and Unix using
Firefox.
Related Topics
Single Sign-On for ERP and Storage Applications
Kerberos Linux Authentication with SSH
Next > > Kerberos Authentication
