Author Archives: TimL

  • 1995; Sun Microsystems created Java
  • 2006; Sun released Java under the GPL
  • 2010; Oracle Corporation acquired Java with the purchase of Sun
  • 2019; Oracle stopped releasing security updates for LTS releases under a permissive license

OpenJDK is the upstream for all Java builds but does not release builds itself, so there are now many java distributions, some with additional patches. In addition to the Linux distributions (Debian/Ubuntu, Fedora/RedHat, Arch, openSUSE, etc) building off OpenJDK for their package managers the following are available;

BuildPermissivePureCommercial Support
Adoptium (AdoptOpenJDK) / IBMYesOptionalYes
Microsoft (JClarity)YesNoNo
Azul ZuluYesNoYes
Amazon CorrettoYesNoYes
SAPYesNoYes
LibericaYesNoYes
RedHat for WindowsYesNoYes
ojdkbuildYesYesNo
OracleNoNoYes

Windows users can subscribe to releases on github until the windows store catches up with Linux repositories since the year 1998

sudo -i
apt update
apt -y upgrade
apt -y dist-upgrade
apt install -y postgresql-contrib openjdk-11-jre

#optional
apt install -y p7zip-full sysstat catdoc antiword html2text unrtf libid3-tools ffmpeg

#postgresql
su postgres -c 'cd;psql --file /opt/Noodle/init.sql'
echo "host all all 127.0.0.1/32 password" >> /etc/postgresql/12/main/pg_hba.conf
systemctl restart postgresql.service

#Noodle
cd /opt
tar -xf Noodle.tar.gz
cd Noodle
mv noodle.service /lib/systemd/system/
systemctl enable noodle.service
systemctl start noodle.service

Other Linux Installation examples available.

  • Upgrade
  • Drive Space low
    • Add more storage space (a SSD preferably) (can be done without service interruption if you are using a Logical Volume Manager)
  • Out of RAM
    • Add more Memory
    • This warning is not yet supported for MSSQL or remote databases.
  • Index Queue not empty
    • Can be ignored if intermittent small numbers
    • Contact support if large numbers persist
  • HTTP pool too full
    • in server.xml increase HTTP pools like to at least double the number of active users. (you may also have a connection per port HTTP and HTTPS)
  • DB pool full
    • The default setting of 30 in noodle.properties for DatabaseManager.DB.intranet.Connection.MaxPoolSize is already fairly high so normally this is an indication that the SQL server getting slow.
    • maintenance: rebuild the indexes
    • replace spinning storage with SSD (LVMCache supports a mix).
    • Increasing the number without ensuring the DB pool was filled because of volume (not latency) will likely cause out of memory or deadlock errors on the database instead of just slowness.
  • User limit
    • Remove users from the imported Active Directory security group or contact us for a larger License.
    • Additionally and optionally delete disabled users that will not be added back to the imported Active Directory security group.

#!/bin/bash

#
# noodle_datamanager_add.sh
#

set -e

U=$1
P=$2
F=$3
D=$4

SERVER="https://domain.tld"
COOKIE=noodle_cookie.tmp

if [ "$D" == "" ] ; then
	echo NO >&2
	exit 1
fi
if [ -f $COOKIE ] ; then
	echo "already running"
	exit 2;
fi
TMP=$(mktemp)
wget -q "$SERVER/HandleLogin.po" --post-data="user_name=$U&user_password=$P" --keep-session-cookies --save-cookies $COOKIE -O /dev/null
wget -q "$SERVER/datamanager/MainWindow.po"  --load-cookies $COOKIE -O "$TMP"
CSRF=$(< "$TMP" perl -pe 's/(<)/\n$1/g' | grep CSRF | perl -pe 's/^.*value="//g;s/".*$//g')
rm "$TMP"
wget -q "$SERVER/datamanager/HandleMainWindow.po" --post-data="CSRF=$CSRF&folder=$F&val5440=$D" --load-cookies $COOKIE -O /dev/null

#!/bin/bash

#
# noodle_datamanager_report_get.sh
#

set -e

U=$1
P=$2
F=$3
R=$4

SITE="https://domain.tld"
COOKIE=noodle_cookie.tmp

if [ "$R" == "" ] ; then
    echo NO >&2
    exit 1
fi
if [ -f $COOKIE ] ; then
    echo "already running"
    exit 2;
fi
wget -q "$SITE/HandleLogin.po" --post-data="user_name=$U&user_password=$P" --keep-session-cookies --save-cookies $COOKIE -O /dev/null
wget -q "$SITE/datamanager/ReportView.po?folder=$F&reportHandle=$R&itemsPerPage=99" --load-cookies $COOKIE -O -
rm $COOKIE

Microsoft checklist here.

Server list SPNs:

setspn -l %NoodleServiceAccount

Client list cached tickets:

klist get HTTP/%noodle.domain.tld

Client uncache tickets:

klist purge

The following information can be obtained with Wireshark;

 [truncated]Authorization: Negotiate YIG...NER
    GSS-API Generic Security Service Application Program Interface
        OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
        Simple Protected Negotiation
            negTokenInit
                mechTypes: 4 items
                    MechType: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
                    MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                    MechType: 1.3.6.1.4.1.311.2.2.30 (NEGOEX - SPNEGO Extended Negotiation Security Mechanism)
                    MechType: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
                mechToken: 6092a864886...
                krb5_blob: 6092a864886...
                    KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                    krb5_tok_id: KRB5_AP_REQ (0x0001)
                    Kerberos
                        ap-req
                            pvno: 5
                            msg-type: krb-ap-req (14)
                            Padding: 0
                            ap-options: 20000000 (mutual-required)
                                0... .... = reserved: False
                                .0.. .... = use-session-key: False
                                ..1. .... = mutual-required: True
                            ticket
                                tkt-vno: 5
                                realm: INTRA.NET
                                sname
                                    name-type: kRB5-NT-SRV-INST (2)
                                    sname-string: 2 items
                                        SNameString: HTTP
                                        SNameString: intra.net
                                enc-part
                                    etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                                    kvno: 2
                                    cipher: 678ed5435c9ec4d6...
                            authenticator
                                etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
                                cipher: 62a133014138848d900d436...

The following information can be obtained with Wireshark or with Noodle DEBUG;

https://intranet.onelogin.com/trust/saml2/http-post/sso/699546?SAMLRequest=fVLLbtsw...%2FkD&RelayState=https%3A%2F%2Fintra.net%2FSAML.po

Should be sent to the IdP which before it is deflated and base 64 encoded looks like

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="-5abe3a1a-1671d27aa18--8000" Version="2.0" IssueInstant="2018-11-16T15:33:17Z" ProviderName="Noodle" Destination="https://intranet.onelogin.com/trust/saml2/http-post/sso/699546" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://intra.net/SAML.po">
    <saml:Issuer>Noodle</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted" AllowCreate="true" />
    <samlp:RequestedAuthnContext Comparison="false">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

The IdP should reply with "Content-Type: application/x-www-form-urlencoded" containing "SAMLResponse: PHN...fCg==" which when base 64 decoded looks like

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R6229535893ec8f41746de8cd0bb42fe1008d88a7" Version="2.0" IssueInstant="2018-11-16T15:33:18Z" Destination="{recipient}" InResponseTo="-5abe3a1a-1671d27aa18--8000">
    <saml:Issuer>https://app.onelogin.com/saml/metadata/699546</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx95004805-783d-f0ee-f32d-17d50ca7ef90" IssueInstant="2018-11-16T15:33:18Z">
        <saml:Issuer>https://app.onelogin.com/saml/metadata/699546</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#pfx95004805-783d-f0ee-f32d-17d50ca7ef90">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>uCsDHp/wXNnMIz7nkq2D7OF81zY=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>QbDsbkTMULdxYmiV8lu64jUE4BNj7ETQvUhjlgHrbaUKMaUdnluJma8T9jh8WOUEQw+Of/MGP4hMJE18f2XOJJK3X3VQnlggE5z98xjHrP0SugRH+elgQpOVkB9ht685UXtzRF6SVAIwstOGphOgqgGRwrG9fPQpN6DAKr00IOc6ItM7cbhVnA+EA8iHP8WP0n+VZXkdub9Sb/tgVkimih3/7DZPIWi6FpmlsTN88mlxBXJKnslr1Iw0ZLqLjR5dJSFz7SHrkBijirFf/kOydoQeOQrRS+6XzOmXayWCP2hHWXVvr5Ye1GbDZyjKTxMpObc+Lv6nj7llC1Mal2M0cw==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIEFzCCAv+gAwIBAgIUUVsi+5GzFHp5EeCzav01iiNyreEwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB1ZpYWxlY3QxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEgMB4GA1UEAwwXT25lTG9naW4gQWNjb3VudCAxMDkzNzAwHhcNMTcwNjI1MTYzMjM5WhcNMjIwNjI2MTYzMjM5WjBYMQswCQYDVQQGEwJVUzEQMA4GA1UECgwHVmlhbGVjdDEVMBMGA1UECwwMT25lTG9naW4gSWRQMSAwHgYDVQQDDBdPbmVMb2dpbiBBY2NvdW50IDEwOTM3MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFTuHcxpp8/hhD8BepAo8EI9AT7dACYFfISZo9IEcBMI1af3p/mm+lV9Iz1ZvoFTddIxHQMVe686segtdkg+p/LA+bWETyRv59yDfH8B3avZkbZkXR7lYq+noMMpQwoA3JYDcJGp9Hoh7FHuhCEZZQCGMuUbGaHMTMaMipzPB7AI9Bg6nZpTmDRqzPEd6SzKJHs18W2dZxJA+lDfze2tfyBaAuC2VFqJ3R2NZhZtpUE7IqCG67zv3ItLNk0sDqPEU3/LSIGyT0+fYcVEraBpIMkLp4MQDcihyTWZSVfhdxaOr0Fn4fUV9aTS/a1a5gybK/zat0cs6pJDgBSfoh9xRUCAwEAAaOB2DCB1TAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQFLDFhCLxjqc6f+cwpm7YnNZH2PTCBlQYDVR0jBIGNMIGKgBQFLDFhCLxjqc6f+cwpm7YnNZH2PaFcpFowWDELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB1ZpYWxlY3QxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEgMB4GA1UEAwwXT25lTG9naW4gQWNjb3VudCAxMDkzNzCCFFFbIvuRsxR6eRHgs2r9NYojcq3hMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAG/YWVdBSvyUjpO8s97Z7KPo843putSf0jgiDHtD8FGddNmdRbAwPbzWBnFupZGyPPgogoEoTRqgRalPvV0xP4PmBMJuAYssI+vwqsj9cqr4pXzpqcsGzJct8SeWSvBqbzBbu+OMbSJ5hm3RvbzSjY6nNAHY7gMe0+7V5Cd+0vzGvmSeXFnKgW7HGlP/98gmDf7KpJYmQmFDITMFc0IS0BQb13SWd7FHVchIXukqqUFFpczWx2cwUmNq1TqcGZESA3XEGbtiJ0HoEmSIQA2RLGSgEPSUgMV+UM8MhYf/bQx6VAInizM/10IokZaAQn2fzz0m5uIbf2qSMXBBoYWWWng==</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">tim@intra.net</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2018-11-16T15:36:18Z" Recipient="{recipient}" InResponseTo="-5abe3a1a-1671d27aa18--8000" />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2018-11-16T15:30:18Z" NotOnOrAfter="2018-11-16T15:36:18Z">
            <saml:AudienceRestriction>
                <saml:Audience>{audience}</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2018-11-16T15:33:17Z" SessionNotOnOrAfter="2018-11-17T15:33:18Z" SessionIndex="_c9a77760-cbdb-0136-fc65-0233ce1b6e10">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

 

 

Overview

IWA allows for SSO using the Operating System users credentials.

Prerequisites

LDAP users have been successfully populated from AD; if not please refer to the AD Configuration Guide.

Quick reference

  1. setspn -U -S HTTP/%noodle.domain.tld %service_account
  2. Add Noodle to "Microsoft Internet Explorer > Tools > Internet Options > Security > Local intranet > Sites > Advanced"
  3. Use https://yourNoodle.tld/SPNEGO.po

Supported configurations

Browsers

Microsoft Internet Explorer, Mozilla Firefox, Google Chrome
Note: Microsoft Edge does not support this feature.

Protocols

Kerberos in SPNEGO in GSS-API (RFC 2478)
Note: NTLM, and NegoExts are not supported.

The "Please enable the Kerberos Security Support Provider (SSP)" error indicates the wrong protocol was used.

Endpoints

AD, Azure, and F5
Note: Others may work but have not been tested

Server configuration

Define the appropriate SPN for the account which Noodle is using to bind to LDAP using one of the 4 options;

  • Within the AD Users and Groups snap-in Navigate to Noodle’s service (admin) account and set the follow attribute:
    • servicePrincipalName = HTTP/%noodle.domain.tld
  • This may also be set via command line:
    • setspn -U -S HTTP/%noodle.domain.tld %service_account
  • For Windows server 2008R2 or older command line instead use
    • setspn -A HTTP/%noodle.domain.tld@DOMAIN.TLD %service_account
  • For AES instead of RC4
    • ktpass -out noodle.keytab -mapUser NoodleServiceAccount@%DOMAIN.TLD -pass  %NoodleServiceAccountPassword -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/%my.noodle.tld@%DOMAIN.TLD
    • Check the box "This account supports Kerberos AES 256 bit encryption" in the NoodleServiceAccount user.

Note:

  • Logins from the AD Kerberos Server itself are not supported because Windows will attempt NTLM.
  • Using an IP in place pf a domain name is not supported because Windows will attempt NTLM.
  • For local installs, non-primary domains can be used with IWA by placing “IgnoreIWADomain = true” into noodle.properties
  • Use an A record in the DNS, CNAMEs will break Kerberos
    • check with
      • nslookup domain.intra.net
    • workaround with
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149=true
  • Enable NTP services If the Noodle logs contain the following;
    • .intranet,ERROR+ Caused by: KrbException: Clock skew too great (37)

Browser configuration

The next step in enabling IWA requires browser configurations to attempt authentication with the Noodle intranet website.

Once the configuration is in place users will need to access Noodle via the SPNEGO.po URL (ie. https://yourNoodle.tld/SPNEGO.po).

The following section of this guide explains this process.

Microsoft Internet Explorer & Google Chrome

Both of these browsers are configured with Microsoft Internet Explorer in "Tools > Internet Options > Security > Local intranet". 

Note:  If a non-default level is in use be sure “Automatic logon only in Intranet zone” is selected in "the Custom Level".

Next we will need to add the URL of your Noodle instance in "Sites > Advanced".

Mozilla Firefox

Enter “about:config” in the address bar, press “Enter”, and click “I Accept the Risk” when prompted.

Next, search for “auth.trusted”, enter your Noodle URL in the attribute entitled “network.negotiate-auth.trusted-uris” and select OK.

At this point IWA should be fully operational for your Noodle Intranet site!