{ "info": { "author": "Matt Hamilton", "author_email": "matth@netsight.co.uk", "bugtrack_url": null, "classifiers": [ "Framework :: Plone", "Intended Audience :: Developers", "License :: OSI Approved :: GNU General Public License (GPL)" ], "description": "Introduction\n============\n\nnetsight.windowsauthplugin is a Plone authentication plugin to do\nSingle Sign On (SSO) in a Microsoft Windows Active Directory\nenvironment or other environment that used Kerberos (e.g. Apple MacOS,\nor Linux).\n\nIt uses the same underlying authentication mechanisms as Windows uses\ninternally, known as Integrated Windows Authentication. This uses\nKerberos underneath to do the actual authentication.\n\nCurrent web browsers able to use this plugin to do SSO are Microsoft\nInternet Explorer 6+, Mozilla Firefox, Apple Safari, and Google Chrome.\n\nnetsight.windowsauthplugin is pure python and can run on Plone on\neither a Unix or Windows server. It relies on the MIT\nKerberos libraries (on Unix, Linux, OSX) or the native Windows SSPI\nlibraries in Windows to so the Kerberos authentication.\n\nInfrastructure Setup\n====================\n\nIn order for netsight.windowsauthplugin to work you need to have an\nActive Directory server (or Kerberos KDC) setup. For this\ndocumentation we will assume:\n\n - You already have a working AD setup and user accounts.\n - You currently log into a Windows desktop with an AD username/password.\n - You have an admin account or access to a user with an admin account\n on AD and able to create accounts\n - You are using Microsoft Internet Explorer\n - You are running the Plone server on Unix/Linux/OSX\n\nDNS & Time\n----------\n\nKerberos is very particular about DNS and time. Ensure that your\nservers and clients are all synced with a network time source. The way\nInternet Explorer constructs Kerberos SPNs depends on the host having\na DNS A record. When you try to access a site with IE and are using\nIntegrated Windows Authentication, IE will attempt to construct a SPN\nbased upon resolving the hostname to an A record. Hence to avoid\nproblems, do not use CNAMEs for your DNS records.\n\nService Principal Names (SPNs) and Keytabs\n------------------------------------------\n\nYou will need to create a user to associate the SPN with. This can be\na standard user account set to never expire. Ensure that 'Use DES' is\nunselected in the properties for the user.\n\nCreate the SPNs using the *ktpass* tool as shown below depending on\nthe version of Windows Server you are using for your Domain\nController.\n\nThe ktpass command below does two things:\n\n 1. Creates the SPN for the service\n 2. Exports the keytab to the specified file\n\nIn the example below:\n\n - intranet.example.com is the hostname used in the URL to your site\n - EXAMPLE.COM is your active directory domain\n - plonesvc is the user account created to associate this SPN with\n - c:\\\\temp\\\\intranet.keytab is the location of the exported keytab\n\n+----------------+---------------------------------------------------------------------------------------------------+------------------------------------------------+\n| | Windows 2008 SP2 DC | Windows 2003 SP3 DC |\n+----------------+--------------------------------------------------+------------------------------------------------+------------------------------------------------+\n| Crypto type | RC4 | AES256 (not supported by WinXP) | RC4 |\n+----------------+--------------------------------------------------+------------------------------------------------+------------------------------------------------+\n| ktpass command | | C:\\\\>ktpass | | C:\\\\>ktpass | | C:\\\\>ktpass |\n| | | -princ HTTP/intranet.example.com@EXAMPLE.COM | | -princ HTTP/intranet.example.com@EXAMPLE.COM | | -princ HTTP/intranet.example.com@EXAMPLE.COM |\n| | | -mapuser plonesvc@EXAMPLE.COM | | -mapuser plonesvc@EXAMPLE.COM | | -mapuser plonesvc@EXAMPLE.COM |\n| | | -crypto RC4-HMAC-NT | | -crypto AES256-SHA1 | | -crypto rc4-hmac-nt |\n| | | -ptype KRB5_NT_PRINCIPAL | | -ptype KRB5_NT_PRINCIPAL | | -ptype KRB5_NT_SRV_HST |\n| | | -pass long!$longp2ass3word | | -pass long!$longp2ass3word | | -pass longlongpassword |\n| | | -out c:\\\\temp\\\\intranet.keytab | | -out c:\\\\temp\\\\intranet.keytab | | -out c:\\\\temp\\\\intranet.keytab |\n+----------------+--------------------------------------------------+------------------------------------------------+------------------------------------------------+\n\nThe keytab exported to *c:\\\\temp\\\\intranet.keytab* needs to be copied\nsecurely to the server running Plone.\n\nThe default path for the keytab file in unix environments is\n``/etc/krb5.keytab``, but it can be customized by defining ``KRB5_KTNAME``\nenvironment variable. The keytab must be readable by the user running the Plone\nprocess.\n\nTroubleshooting\n===============\n\n- ERROR SPNEGO plugin 127.0.0.1: GSSError (('Unspecified GSS failure. Minor code may provide more information', 851968), ('', 100005))\n\n **Solution**: This was seen with crypto type AES256 on RHEL6 server.\n This was solved by changing crypto type to RC4.\n\nGlossary\n========\n\n`Integrated Windows Authentication (IWA) `_\n This is Microsoft's is a term associated with Microsoft products\n that refers to the SPNEGO, Kerberos, and NTLMSSP authentication\n protocols with respect to SSPI functionality introduced with\n Microsoft Windows 2000 and included with later Windows NT-based\n operating systems. The term is used more commonly for the\n automatically authenticated connections between Microsoft Internet\n Information Services, Internet Explorer, and other Active Directory\n aware applications.\n\n`Kerberos `_\n Kerberos is a network authentication protocol. It is designed to\n provide strong authentication for client/server applications by\n using secret-key cryptography. It is a standardised protocol and\n used by Unix, Linux, Microsoft Windows and Apple Mac OSX for\n authentication services.\n\n`Service Principal Name (SPN) `_\n A service principal name (SPN) is the name by which a client\n uniquely identifies an instance of a service. When a client wants to\n connect to a service, it locates an instance of the service,\n composes an SPN for that instance, connects to the service, and\n presents the SPN for the service to authenticate. These often start\n with the service/protocol being used and are then followed by the\n hostname e.g. HTTP/intranet.example.com\n\n`SPNEGO `_\n SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is a\n GSSAPI \"pseudo mechanism\" that is used by Microsoft Internet\n Explorer 5.01 and above to negotiate an authentication\n mechanism. The negotiable sub-mechanisms included NTLM and Kerberos,\n both used in Active Directory\n\n`GSSAPI `_\n GSSAPI (Generic Security Services Application Program Interface) is\n an IETF standard API for accessing a number of authenticatation\n mechanisms. The GSSAPI, by itself, does not provide any\n security. Instead, security service vendors provide GSSAPI\n implementations usually in the form of libraries installed with\n their security software.\n\n`SSPI `_\n SSPI (Security Support Provider Interface) is an API used by\n Microsoft Windows systems to perform a variety of security-related\n operations such as authentication. SSPI is a proprietary variant of\n GSSAPI with extensions and very Windows-specific data types. For\n Windows 2000, an implementation of Kerberos 5 was added, using token\n formats conforming to the official protocol standard RFC 1964 (The\n Kerberos 5 GSSAPI mechanism) and providing wire-level\n interoperability with Kerberos 5 implementations from other vendors.\n\n`PAS `_\n PAS (Pluggable Authentication Service) is a modular suthantication\n system used by Zope and Plone for the management of users. PAS is\n built around the concepts of interfaces and plugins: all possible\n tasks related to user and group management and authentication are\n described in separate interfaces. These interfaces are implemented\n by plugins, which can be selectively enabled per interface.\n\n`Active Directory `_\n Active Directory (AD) is a directory service created by Microsoft\n for Windows domain networks. It is included in most Windows Server\n operating systems.\n\n Active Directory provides a central location for network\n administration and security. Server computers that run Active\n Directory are called domain controllers. An AD domain controller\n authenticates and authorizes all users and computers in a Windows\n domain type network\u2014assigning and enforcing security policies for\n all computers and installing or updating software. For example, when\n a user logs into a computer that is part of a Windows domain, Active\n Directory checks the submitted password and determines whether the\n user is a system administrator or normal user.\n\n Active Directory makes use of Lightweight Directory Access Protocol\n (LDAP) versions 2 and 3, Kerberos and DNS.\n\nChange history\n**************\n\n2.3.1 (2014-07-04)\n------------------\n\n- Fixed issue with 'came_from' redirects not working correctly\n\n2.3 (2014-03-17)\n----------------\n\n- Mixed-auth helper now redirects to 'logged_in' to continue standard plone login process [mattss]\n\n2.2 (2014-03-5)\n----------------\n\n- Added missing __init__.py for mixed-auth profile [giacomos]\n\n2.1 2014-02-10\n--------------\n\n- Add default configuration profile for mixed authentication environments\n [datakurre]\n\n2.0 2013-03-27\n--------------\n\n- This is a major change\n- All LDAP code has been removed. If you want to use LDAP to look up\n user details then use a separate LDAP PAS plugin\n- The kerberos python library is now only installed if you add [unix]\n option with the egg\n- We now decode the username to Unicode before returning it\n\n\n1.3 (2013-03-18)\n----------------\n\n- Fixed missing README.txt in last release\n\n1.2 (2013-03-18)\n----------------\n\n- Works with subrequests now (p.a.theming)\n\n1.1 2013-03-18\n--------------\n\n- Fixed it so we work within a subrequest (so p.a.themeing works)\n\n0.9 Initial release\n-------------------\n\n- Initial release\n\nContributors\n************\n\nMatt Hamilton, matth@netsight.co.uk, Author\n\n\nDownload\n********", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/netsight/netsight.windowsauthplugin", "keywords": "", "license": "GPL", "maintainer": null, "maintainer_email": null, "name": "netsight.windowsauthplugin", "package_url": "https://pypi.org/project/netsight.windowsauthplugin/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/netsight.windowsauthplugin/", "project_urls": { "Download": "UNKNOWN", "Homepage": "https://github.com/netsight/netsight.windowsauthplugin" }, "release_url": "https://pypi.org/project/netsight.windowsauthplugin/2.3.1/", "requires_dist": null, "requires_python": null, "summary": "A Windows Integrated Authentication (SPNEGO/Kerberos) Plugin for PAS", "version": "2.3.1" }, "last_serial": 1147142, "releases": { "2.0": [ { "comment_text": "", "digests": { "md5": "15eeaa150be8bdcbbb7dfff1eced6afa", "sha256": "fe5afe9e09b4dc61effe1c422c60cc7eb9af9fdcfa99ff7d745a747f38c8b5ce" }, "downloads": -1, "filename": "netsight.windowsauthplugin-2.0.zip", "has_sig": false, "md5_digest": "15eeaa150be8bdcbbb7dfff1eced6afa", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 26935, "upload_time": "2013-03-27T15:51:37", "url": "https://files.pythonhosted.org/packages/27/a9/5bf7bf4cfb2663397782305c51cf59710ed2332cba6ac2b267ce5b59fb5a/netsight.windowsauthplugin-2.0.zip" } ], "2.1": [ { "comment_text": "", "digests": { "md5": "8dd2e424fa3819a1d4397854edce97bf", "sha256": "b62fa92aac2bcdf09b563a993a51f0be5a66c984188930a9733eb525601872d4" }, "downloads": -1, "filename": "netsight.windowsauthplugin-2.1.tar.gz", "has_sig": false, "md5_digest": "8dd2e424fa3819a1d4397854edce97bf", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 20641, "upload_time": "2014-02-11T14:53:28", "url": "https://files.pythonhosted.org/packages/81/f4/e01d89c23bbf838e4d99e012314c8c8302f75768ca49c5cc934372918b8d/netsight.windowsauthplugin-2.1.tar.gz" } ], "2.2": [ { "comment_text": "", "digests": { "md5": "24e4f0fb2429305ac6455e805b2fef74", "sha256": "3ab0ddc54294df7cd3ec5490a81057648a780ed1085d01e5fc48ab36118899cd" }, "downloads": -1, "filename": "netsight.windowsauthplugin-2.2.zip", "has_sig": false, "md5_digest": "24e4f0fb2429305ac6455e805b2fef74", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 33322, "upload_time": "2014-03-05T14:42:13", "url": "https://files.pythonhosted.org/packages/1d/95/834f459b2f8b414ab96fde9b61ce24380e8e05d016e878263670c0419796/netsight.windowsauthplugin-2.2.zip" } ], "2.3": [ { "comment_text": "", "digests": { "md5": "1f10f0941ef9497438a37265e6bfb7a1", "sha256": "827c71288127ddf4c9f8b890cc14ae71744d59a59f74e744aede973b83fcf1ad" }, "downloads": -1, "filename": "netsight.windowsauthplugin-2.3.tar.gz", "has_sig": false, "md5_digest": "1f10f0941ef9497438a37265e6bfb7a1", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 20721, "upload_time": "2014-03-17T12:57:16", "url": "https://files.pythonhosted.org/packages/f0/a5/eaebd4f47d9363f576f70b501b0d65a90f579a7a5f00e4e00de683857018/netsight.windowsauthplugin-2.3.tar.gz" } ], "2.3.1": [ { "comment_text": "", "digests": { "md5": "f17a1e5de9ac527a8223ae46ac11b298", "sha256": "3decd96a1780137d294b2c94de13aac030d629061719536b0a90299507fc3351" }, "downloads": -1, "filename": "netsight.windowsauthplugin-2.3.1.zip", "has_sig": false, "md5_digest": "f17a1e5de9ac527a8223ae46ac11b298", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 39133, "upload_time": "2014-07-04T08:31:45", "url": "https://files.pythonhosted.org/packages/12/45/d06f589bc66f7ed82f682871a78bd48b9a589951aa70094b7d64158d0f9e/netsight.windowsauthplugin-2.3.1.zip" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "f17a1e5de9ac527a8223ae46ac11b298", "sha256": "3decd96a1780137d294b2c94de13aac030d629061719536b0a90299507fc3351" }, "downloads": -1, "filename": "netsight.windowsauthplugin-2.3.1.zip", "has_sig": false, "md5_digest": "f17a1e5de9ac527a8223ae46ac11b298", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 39133, "upload_time": "2014-07-04T08:31:45", "url": "https://files.pythonhosted.org/packages/12/45/d06f589bc66f7ed82f682871a78bd48b9a589951aa70094b7d64158d0f9e/netsight.windowsauthplugin-2.3.1.zip" } ] }