Single Signon - How to get Windows userid in an Ebase app'n

[Hovik]

Unzip the attached file and follow instructions in document "Single Signon in Ebase - 2014"

http://www.ebaseftp.com/download/forum/ ... n_2014.zip

For IIS configuration, referenced in the above document, please see http://forum.ebasetech.com/forum/viewtopic.php?t=314

[neilnewman]

Hi Hovik,
We have been trying to get back AD information regarding the user running the form, but have been unable to get the code you supplied here to work.

If I make the suggested changes and try to run any of our forms they fail with "Application unavailable".
Do you have any idea what we are likely to have got wrong, or do latter versions of Ebase require a different solution?

Many thanks
Neil

[alexmcclune]

Hi Neil,

I should have said in the other thread, we were originally using an IIS 7 on a 64bit web server originally and and after re-reading those notes it does refer to other documentation which we also implementated - it is titled "IIS7 ISAPI Redirector".

In reality I can't explain your error but this may help: http://forum.ebasetech.com/forum/viewtopic.php?t=314

Regarding your error do you get any error's in your tomcat logs on startup or in the execution log when attempting to run the form?

[neilnewman]

When I add the following lines to the UfsServer\tomcat\webapps\ufs\WEB-INF\web.xml file, the issue occurs:
If I remove these lines the system works again

<filter>
<filter>NtlmHttpFilter</filter>
<filter>jcifs.http.NtlmHttpFilter</filter>
<init>
<param>jcifs.http.domainController</param>
<param><DOMAIN_SERVER_IP></param>
</init>
<init>
<param>jcifs.smb.client.domain</param>
<param><DOMAIN_NAME></param>
</init>
<init>
<param>jcifs.smb.client.username</param>
<param><MY_USERNAME></param>
</init>
<init>
<param>jcifs.smb.client.password</param>
<param><MY_PASSWORD></param>
</init>
</filter>
<filter>
<filter>NtlmHttpFilter</filter>
<url>/ufsmain</url>
</filter>

[neilnewman]

17-Dec-2014 13:38:00 org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [UFSMain] in context with path [/ufs] threw exception
jcifs.smb.SmbException: The parameter is incorrect.
at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:561)
at jcifs.smb.SmbTransport.send(SmbTransport.java:661)
at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:316)
at jcifs.smb.SmbSession.send(SmbSession.java:218)
at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
at jcifs.smb.SmbSession.logon(SmbSession.java:147)
at jcifs.smb.SmbSession.logon(SmbSession.java:140)
at jcifs.http.NtlmHttpFilter.negotiate(NtlmHttpFilter.java:189)
at jcifs.http.NtlmHttpFilter.doFilter(NtlmHttpFilter.java:121)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1812)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
17-Dec-2014 13:38:00 org.apache.catalina.core.StandardHostValve custom
FINE: Processing ErrorPage[errorCode=500, location=/ufs_error_page.htm]
17-Dec-2014 13:38:00 org.apache.catalina.core.ApplicationDispatcher doForward
FINE: Disabling the response for futher output

[Hovik]

Hi Neil,

You are obviously going the Apache web server root to get single signon working.

We discovered last week that the jcifs framework does NOT WORK with Windows 7 or later clients, it works with Windows XP.
At the time of writing the single sigon document in 2010, we did not test it with Windows 7 as it was relatively new.

If you use IIS as the web server (instead of Apache), then it works as expected with Windows 7 and higher Clients as well as with XP clients.

Hovik

[Hovik]

I have now replaced the above link with Single_Signon_2014.zip which no longer refers to Apache web server.

[neilnewman]

Hi Hovik,
I much prefer Apache to IIS as it ships as part of the package and works out of the box.
Are you saying that there will never be a way to query AD if we run with Apache, or are there plans to get this route working in the future?

Many thanks
Neil

[Hovik]

Hi Neil,

Our previous documentation suggested using the jcifs framework to get SSO working using Apache as your web server. What we're now saying is that this is no longer a valid approach given that a lot of organisations use Windows 7 or later as client machines.

There are other ways of configuring Apache Web server to achieve SSO. This is not an Ebase issue, but we always attempt to be helpful by providing how to documents relating to such topics. In this case we've not worked out an alternative mechanism yet. We intend to look into SAML 2 as a means of configuring SSO sometime in the new year, and expect it to work with Apache.
I will let you know when we have a document.

Regards,
Hovik

[Steve James]

Hi, what is the approach for Ebase 5.0.1 particularly around the Integrated Test server?

Thanks

[Hovik]

The integrated test server in V5 uses an integrated tomcat. This tomcat can not be configured with a redirect port. The only configurable port is the http port. Therefore it's not possible to integrate it with IIS and implement single signon.

The process for configuring single signon in the external server is the same as in V4 with the exception that the webapp is now called ebase instead of ufs.
File uriworkermap.properties will therefore need to be changed to replace ufs by ebase.

We will amend the document and add it here as soon as we can.

[ericb]

The .doc files referenced in the instructions for IIS 7 and 5/6 are not in the .zip, do they not apply anymore?

We aren't using the IIS web server for our setup, only Tomcat. In that case is the section titled "Configure Tomcat" the only one that applies? I added the tomcatAuthentication="false" line as instructed, and tried to retrieve system.variables.$BROWSER_TYPE and system.variables.$USER in a basic form, however I get a java.lang.NullPointerException error.

[Hovik]

This post shows you how to implement single signon using IIS. For IIS configuration, please see http://forum.ebasetech.com/forum/viewtopic.php?t=314

While it is possible to do this using Built-in Tomcat mechanism (see https://tomcat.apache.org/tomcat-7.0-do ... howto.html), it's much more difficult and prone to errors. We've not tried it.

Are you using Ebase V5.0.1?
tomcatAuthentication="false" is included in V5.0.1 server installation, so you should not need to add it anywhere.

The reason for the error is that you need to add .value to the end of system.variables.$USER and system.variables.$BROWSER_TYPE

[ericb]

Yes, this is on Ebase 5.0.1.

I actually got it to work within a couple of hours by using Waffle, which was linked in the tomcat documentation you referred me to.

Here's how I did it for the Ebase server (not V5's integrated server). This is very basic and is more of a starting point for someone going down this same road, not a final result. It will hopefully get you on the right path though. These instructions assume your application is already using your LDAP server for authentication, and you just want to add the SSO capability.

1. Download latest version of Waffle here: https://github.com/dblock/waffle

2. Copy the files waffle-(yourVersionOfTomcat)-*.jar, waffle-jna.jar, guava-18.0.jar, jna-4.2.0.jar, jna-platform-4.2.0.jar and slf4j*.jar to the UfsServer\tomcat\lib folder.

3. Add the following to UfsServer\tomcat\conf\context.xml

Code: Select all

<Valve className="waffle.apache.NegotiateAuthenticator" principalFormat="fqn" roleFormat="both" />
	<Realm className="waffle.apache.WindowsRealm" />

4. Add the following to UfsServer\tomcat\webapps\ebase\WEB-INF\web.xml:

Code: Select all

<security-role>
		<role-name>Everyone</role-name>
	</security-role>
	<security-constraint>
		<display-name>Waffle Security Constraint</display-name>
		<web-resource-collection>
			<web-resource-name>Protected Area</web-resource-name>
			<url-pattern>/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>Everyone</role-name>
		</auth-constraint>
	</security-constraint>

5. After restarting Tomcat, you should now get logged in instantly when you open a form. You can check this by logging system.securityManager.getUserName().toString().

Now, the question is... can this be made to work with the integrated server in V5.0.1? I've copied the files and added the code to web.xml, however I can't find any context.xml file, or any other file with a different name but the same content.

[Hovik]

Thanks for trying it and also for posting it here. Yes it works very well.

To answer your last question, any such configuration is only possible in the server installation of Ebase V5. The integrated server contains an embedded Tomcat which is a cut-down version of Tomcat and does not allow some configurations.

I downloaded Waffle.1.8 and some of the settings are different from the ones you posted. So posting my steps here for anyone using Waffle.1.8.

1. Download latest version of Waffle from here: https://github.com/dblock/waffle

2. Copy the following files to the UfsServer\tomcat\lib folder:
guava-18.0.jar
jna-4.2.1.jar
jna-platform-4.2.1.jar
slf4j-api-1.7.12.jar
waffle-jna-1.8.0.jar
waffle-(yourVersionOfTomcat)-1.8.0.jar

3. Add the following to UfsServer\tomcat\conf\context.xml

Code: Select all

    <Valve className="waffle.apache.NegotiateAuthenticator" principalFormat="fqn" roleFormat="both" protocols="Negotiate,NTLM" /> 
    <Realm className="waffle.apache.WindowsRealm" />

4. Add the following to UfsServer\tomcat\webapps\ebase\WEB-INF\web.xml:

Code: Select all

      <security-constraint>
         <web-resource-collection>
            <web-resource-name>Waffle Security Constraint</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
         </web-resource-collection>
         <auth-constraint>
            <role-name>BUILTIN\Users</role-name>
         </auth-constraint>
      </security-constraint>
      <security-role>
         <role-name>BUILTIN\Users</role-name>
      </security-role>

5. Restart Tomcat and run any form which logs system.securityManager.getUserName() - this should contain your windows userid.

[ericb]

Reviving this thread because SSO is no longer working properly on one of our development servers, and the only difference I've found so far between that and another server where it's still working is that the dev server has been updated to 5.1.1 while the production server is still on 5.0.1.

What happened is that while working on a small project on the dev server, we had problems with the server not identifying the user's login info, and popping up a login box. We disabled SSO and just added a manual login page, but when I deployed the project to the production server, it suddenly started working with SSO there. I've compared the SSO config on both servers and they both match with what I posted here 2 posts ago. As implied earlier this paragraph, project files also match on both servers, so the only difference I can see is the difference Ebase version.

Is there anything that was updated in 5.1.1 that could have changed how SSO works compared to 5.0.1?

[Jon]

No changes to Ebase that I can think of. But this configuration is almost entirely tomcat, there is almost nothing in Ebase. One change is that V5.1.1 requires Java 8 whereas V5.0.1 was Java 7.

Do you have any error messages?

[ericb]

I haven't checked for error messages.

What happens is that in Firefox and Chrome, a browser popup box opens asking for the user to log in. Once the user logs in, the rest of the site functions normally. In IE however, the same browser popup comes up for the user to login, however after submitting the login, the same box just opens up again. It does this 7-10 times before finally saying that the login failed. If you try to cancel the login, the same box opens 2 more times, and if you cancel each of those times as well, it once again tells you that the login failed.

[Steve James]

Has anyone tried to prevent access direct to Ebase via Tomcat when using single signon?

We have a need to have Windows Authentication. I could code it in the logic of a form but would like to investigate preventing direct access at application level.

Thanks

[Jon]

You can just remove the connector definition from tomcat/conf/server.xml.

[Steve James]

Thanks Jon

[neilnewman]

I know this subject has been covered previously, but can I just confirm that the previous posts regarding the way you setup the integration between Ebase and AD are still relevant against Ebase 5.2.0.

Our Ebase installation currently runs on an internal Windows server without IIS and is accessed externally via a DMZ server running IIS and connects back to the Ebase server using a Tomcat connector.

We are looking to configure the system so that internal workers can be validated with their AD username whilst external users continue without AD validation. Is this possible?

Also whilst testing this configuration I have taken a copy of our Ebase installation and installed it onto my PC with a Community license key, but this won't let me use the "Server Admin App", is there a way around this whilst I test things out?

[Jon]

Yes it's basically the same with V520.

What exactly do you mean by validate internal users - how would you use the Windows user if it was available? The most usual scenario is that the Windows userid is passed directly into Ebase and is just accepted and becomes the Ebase user name. You could also use AD groups as roles to perform security checks and you can import AD attributes such as email address into Ebase. You can add external users to this scenario but you would need to give them a dummy user name e.g. "PUBLIC" and presumably they would have no roles. In this mixed scenario, any internal user not part of the AD network (is this even possible?) would also appear as "PUBLIC".

To achieve this I think you would need a second internal IIS for your internal users also redirecting to the Ebase server. I can't say we have ever tried this but it sounds like it should work in principle. Also, it is possible to get the Tomcat/AD link working without IIS and there is a link to this higher up in this post. But again, I don't know if anyone has tried this.

On your server admin problem, what exactly goes wrong? If you know the userid and password, you should be able to connect.

[neilnewman]

Hi Jon and thanks for the swift reply.

Currently we run a piece of ASP code to return the AD user name to Ebase which is run before the form, but we would rather use the Ebase solution.
As you suggest, this then enables us to grant permissions based on the user.

NB: The mixed scenario I was trying to convey was local AD network users and members of the public, coming to the forms via our DMZ IIS server over the Tomcat connector.

I presume as the Ebase system runs Tomcat on specific ports (NOT port 80) I could install IIS software onto the live Ebase server and install and configure the Tomcat connector here for internal access?

The error I get on my PC with the Community license is:
Server Not Licensed
This Ebase Xi Server system is not licensed.
If you are the administrator for this site please contact Ebase Technology to discuss your licensing requirements.


Ebase reports that the license is valid when I start it up.
INFO Licence is valid

My license key reads like this:
####################################################################
# Ebase Xi licence ? Amending or deleting this file will #
# render the Ebase Xi system unusable ! #
# File generated Thu Jan 05 19:26:17 GMT 2012 #
####################################################################
key=OOFkF7HlU9BA50GfZCWy2wAIjNI=
type=3
licenceId=Community_Edition_2
systemId=COMMUNITY_EDITION_2
systemType=Development
fromDate=20120105
expiryDate=21001229
maxDesignerUsers=999999
maxRuntimeUsers=10
maintenanceExpiryDate=20991231
maxProcessors=1
externalType=C
# List of features follows
Ebase_Foundation=Yes
Ebase_Printing=Yes
Ebase_MQ=Yes
Ebase_Batch=Yes
Ebase_Workflow_Server=Yes
Ebase_Workflow_Client=Yes
Ebase_Integration_Server=Yes
Maintenance/Upgrades=Yes

[neilnewman]

Got an answer to one of my questions:
To get into the admin app, I just needed to change the URL from <PCNAME>:4140/ufs/ebaseAdmin.eb to localhost:4140/ufs/ebaseAdmin.eb

[Jon]

I presume as the Ebase system runs Tomcat on specific ports (NOT port 80) I could install IIS software onto the live Ebase server and install and configure the Tomcat connector here for internal access?

Yes I think you can do this.

On the licensing issue, it sounds like you are trying to run something on a different server. You might check that the server is correctly configured in your designer: File > Preferences > Test Server. Might be the same problem that you had with the server admin app.

[neilnewman]

I have now got it all working on my PC, as a test environment and it returns the AD username for me.
Is it possible to also retrieve any of the other AD information at the same time. i.e: email address, phone number etc...

[Jon]

You need to write a Logon Service. There is an LDAP helper class you can use to get info from AD e.g.

services.ldap.getUserAttributes(userName)
services.ldap.getADGroups(userName)

There is a Logon Service example in the EbaseSamples project - look at scripts JS_LOGON_SERVICE_LOGIC and JS_LOGON_SERVICE_FUNCTIONS. This shows retrieving AD groups and using these as roles. For AD attributes, the general idea is that you set these as credentials in the Logon Service and then later in your scripts you can access a credential using:

system.securityManager.getCredential()

You can test the Logon Service in the Logon Service editor or by invoking it from a script with: system.securityManager.logon()

Finally, when you have tested the Logon Service, it should be invoked for all users when they first connect. This is activated in the server admin app > Server Properties > Security Properties > Enable Authentication Of New Users. You have to be careful with this because if the Logon Service then fails you won't be able to get into the system at all. If this happens you need to edit the security properties on the server directly.

The last step will be to detect external users in this Logon Service and set their userid to something like "PUBLIC".

[Jon]

I forgot to add that you also need to configure the properties for the AD service. This is in the Server Admin app > Server Properties > Security Properties > LDAP Properties.

[neilnewman]

Hi Jon,
I have just carried out an upgrade of our test Ebase system to 5.6.0.
Are there any newer instructions covering the integration of Ebase with Active Directory, it would be really useful to have a definitive guide covering what's required at the server end: Tomcat/IIS, configuring the system via the server admin console and examples of how to retrieve values from AD such as phone numbers user name etc...
Maybe adding this as an article to the Resource Hub, I feel sure all Verj.io sites that don't currently integrate with AD will find this feature really useful

[Jon]

We'll put it on the list of things to do.

[neilnewman]

Hi Jon,
I am attempting to use the built in LDAP service within Ebase to retrieve AD info, but I have been unable to get it working, up to this point we have been using a bit of customer ASP to get our AD info, but now we would now like to use the built in functionality.
I have attached a screenshot of our LDAP settings, and I have created a simple form that maps a local Ebase variable to an Ebase system variable:
set EMAIL=$USER_EMAIL; as described in the ldap_attributes.xml file, the error I get is:
Script before_form: Invalid SET expression set USERID=$USER_EMAIL - Unable to access LDAP server using URL: ldap://exchange2013@dartford.gov.uk:389 with specified user - exchange2013@dartford.gov.uk:389

Any help would be gratefully received

[Jon]

Hi Neil,

The system is getting an error trying to connect to your Active Directory system. It could be a number of things:

The Registry Host property is pointing to the wrong server
The port (389) is incorrect - not likely
Your AD system requires SSL - in which case you should use the Registry URL property e.g. ldaps://hostname:389
The bind user/password is not correct or doesn't have authority - though I think I would expect a different error message in this case. I'm not sure whether or not this user needs to have the domain name suffix.

Do you have an admin person who you can ask for the correct configuration?

Once you have the connection working, there are two ways that you can extract user attributes. The first way - largely deprecated - is to use the ldap_attributes file. The second way is to extract the attributes in a Logon Service when the user connects using LDAP Services e.g.

var attrs = services.ldap.getUserAttributes(userid);

..and then add the attributes you are interested in as user credentials. There is an example of doing this shipped with the product - in VerjSamples/System Services/Scripts. From a form you can then obtain a user's credential e.g.

var email = system.securityManager.getCredential("email");

Regards
Jon

[neilnewman]

Hi Jon,
Thanks for the reply, we now have successfully got LDAP to return the value of $USER ("Neil").
What we really want is the complete AD username available to the form and the ability to query other AD values.

As I guess you have concluded, our Javascript skills are somewhat lacking.

Do Verj.io provide consultancy (on or offsite), that we could purchase to get this situation resolved?

Thanks
Neil

[Jon]

Neil,
I've passed this onto our Sales team. Someone should be in touch with you.
Regards
Jon