Enable SSO with Active Directory in Java Application Servers

This chapter explains how to set up single sign-on (SSO) with Active Directory in Java web applications.

Understand Integrated Windows Authentication

Integrated Windows Authentication was introduced with the Microsoft Windows 2000 operating system. It is based on the SPNEGO, Kerberos, and NTLMSSP protocols. The SPNEGO protocol is used between the web browser and the web server to negotiate the type of authentication that will be performed, usually either Kerberos or NTLMSSP. Kerberos is the preferred authentication mechanism. Both Kerberos and NTLMSSP are secure protocols that allow computers to authenticate a user over a non-secure channel. For web sites, this means that the Secure Socket Layer (SSL) protocol does not need to be enabled during the authentication phase.

Why Use Integrated Windows Authentication?

Integrated Windows Authentication improves the overall security of a network because the user must log on by using his or her username and password only once. All subsequent accesses by that user to resources, such as web sites, file systems, and network printers are automatically authenticated with cached security tokens. Using Integrated Windows Authentication has the benefit of a centralized user account database stored in Active Directory. This is more secure and more efficient than duplicating user names and passwords in configuration files across server computers.

Kerberos, NTLMSSP versus Basic Authentication

Integrated Windows Authentication uses the SPNEGO, Kerberos and NTLM authentication protocols. Not all browsers are capable of understanding these protocols. Another authentication protocol, Basic Authentication, is understood by all web browsers; it works by simply transferring the username and password across the network from the web browser to the web server. The drawback of using Basic Authentication is that without SSL encryption, anyone can intercept the network communication and easily find out a user’s login name and password. Therefore, Basic Authentication should be used only for sites that are protected with SSL encryption.

Authentication versus Authorization

The term authentication refers to the process of proving a user’s identity. Authorization, on the other hand, takes place after authentication and is used to limit the users or groups to perform only the actions that they are allowed or authorized to perform. Integrated Windows Authentication provides only the authentication mechanism while Windows authorization is usually accomplished using Access Control Lists (ACL).