| ... |
... |
@@ -2,12 +2,6 @@ |
| 2 |
2 |
|
| 3 |
3 |
{{content/}} |
| 4 |
4 |
|
| 5 |
|
-{{warning}} |
| 6 |
|
-We would like to inform you that in future we will say goodbye to {{smallcaps}}Ntlm{{/smallcaps}} as an option for single sign-on. We are following a general recommendation from Microsoft, according to which {{smallcaps}}Ntlm{{/smallcaps}} should no longer be used by applications in the future due to insufficient security mechanisms ([[statement from Microsoft>>https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/1e846608-4c5f-41f4-8454-1b91af8a755b?redirectedfrom=MSDN||rel="noopener noreferrer" target="_blank"]] or [[statement in the forum>>https://answers.microsoft.com/en-us/msoffice/forum/all/ntlm-vs-kerberos/d8b139bf-6b5a-4a53-9a00-bb75d4e219eb||rel="noopener noreferrer" target="_blank"]] under Chapter 3). Microsoft then published patches to improve security, but these will no longer work with the current {{smallcaps}}Ntlm{{/smallcaps}} implementation in FORMCYCLE. Since it is not recommended to continue using the module, we will stop further development of the module from FORMCYCLE version 7 onwards. |
| 7 |
|
- |
| 8 |
|
-For existing customers we offer to switch to Kerberos for free. The activation for Kerberos is done automatically in the licence of V7, if {{smallcaps}}Ntlm{{/smallcaps}} has already been licensed. |
| 9 |
|
-{{/warning}} |
| 10 |
|
- |
| 11 |
11 |
{{figure image="single_sign_on_ntlm_en.png" width="600"}} |
| 12 |
12 |
User interface for setting up {{smallcaps}}Ldap{{/smallcaps}} authentication via {{smallcaps}}Ntlm{{/smallcaps}}. Available only if the license allows it. |
| 13 |
13 |
{{/figure}} |
| ... |
... |
@@ -74,7 +74,7 @@ |
| 74 |
74 |
A computer account is recognizable by the '$' character in the domain name. e.g. example$@domain.de |
| 75 |
75 |
{{/info}} |
| 76 |
76 |
|
| 77 |
|
-We are currently unable to provide a description of the procedure for creating a computer account in the Active Directory server and this must be referred from external sources in the relevant documentation. |
|
71 |
+Help pages of ca technologies on [[creating a computer account for NTLM authentication on active directory server.>>https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-3/policy-assertions/assertion-palette/access-control-assertions/require-ntlm-authentication-credentials-assertion/creating-a-computer-account-for-ntlm-authentication.html||rel="__blank" title="Creating a Computer Account for NTLM Authentication"]] |
| 78 |
78 |
|
| 79 |
79 |
=== computer account password === |
| 80 |
80 |
|
| ... |
... |
@@ -148,9 +148,10 @@ |
| 148 |
148 |
{{/info}} |
| 149 |
149 |
|
| 150 |
150 |
{{info}} |
| 151 |
|
-To this user you must, in Active Directory for example, register the **hosts of the urls** and the **computer name** (computer name and FQDN inside the domain) to be used as ServicePrincipalName (SPN) beginning with the service class HTTP. You can find more information [[here>>https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx||rel="noopener noreferrer" target="_blank"]] or [[here>>https://docs.microsoft.com/en-us/windows-server/networking/sdn/security/kerberos-with-spn||rel="noopener noreferrer" target="_blank"]]. |
|
145 |
+To this user you must, in Active Directory for example, register the Domians to be used as ServiePrincipalName beginning with the service class HTTP. You can find more information [[here>>https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx||target="_blank"]] or [[here>>https://docs.microsoft.com/en-us/windows-server/networking/sdn/security/kerberos-with-spn||target="_blank"]]. |
| 152 |
152 |
{{/info}} |
| 153 |
153 |
|
|
148 |
+(% class="wikigeneratedid" %) |
| 154 |
154 |
=== Password === |
| 155 |
155 |
|
| 156 |
156 |
Password of the service account. |
| ... |
... |
@@ -290,16 +290,6 @@ |
| 290 |
290 |
|
| 291 |
291 |
Example: {{code language="none"}}ou="intern", dc="example", dc="com"{{/code}} |
| 292 |
292 |
|
| 293 |
|
-== Theoretical consideration of the connection of several KDCs/domains == |
| 294 |
|
- |
| 295 |
|
-If multiple KDC servers or domains are desired for a global Kerberos login ability, this is theoretically possible via the standard MIT Kerberos implementation provided by Java and used by FORMCYCLE. However, the following configurations should be noted here: |
| 296 |
|
- |
| 297 |
|
-* For each KDC server/domain a separate realm must be defined. |
| 298 |
|
-* The list to be defined under [domain_realm] must be used to specify which request URL should be handled by which realm. |
| 299 |
|
-* If cross realm authentication is desired, a cross realm trust must be established. This serves to the purpose that a user from realm A can also log in within the realm B. For example, this can be realized with a direct realm trust where principals are created on each relevant server against the other realms. For the realms A.REALM.COM and B.REALM.COM this would be for exemplary krbtgt/A.REALM.COM@B.REALM.COM and krbtgt/B.REALM.COM@A.REALM.COM. |
| 300 |
|
-* Use the same name and a strong password for the service principal or configure a keytab file. |
| 301 |
|
-* To query the correct user data after the Kerberos login, either an LDAP server with access to the whole forest of the realms or the functionality of the client-specific LDAP servers must be configured. It may also be necessary to adjust the responsible LDAP filter. |
| 302 |
|
- |
| 303 |
303 |
== Make user data available to forms == |
| 304 |
304 |
|
| 305 |
305 |
The LDAP user data for the currently authenticated user are stored in the JavaScript object {{code language="none"}}window.XFC_METADATA.user.rawData{{/code}} and can be accessed via JavaScript. |
