Integrated Windows Authentication (IWA)

Overview

IWA allows for SSO using the Operating System users credentials.

Prerequisites

LDAP users have been successfully populated from AD; if not please refer to the AD Configuration Guide.

Quick reference

  1. setspn -U -S HTTP/%noodle.domain.tld %service_account
  2. Add Noodle to "Microsoft Internet Explorer > Tools > Internet Options > Security > Local intranet > Sites > Advanced"
  3. Use https://yourNoodle.tld/SPNEGO.po

Supported configurations

Browsers

Microsoft Internet Explorer, Mozilla Firefox, Google Chrome
Note: Microsoft Edge does not support this feature.

Protocols

Kerberos in SPNEGO in GSS-API (RFC 2478)
Note: NTLM, and NegoExts are not supported.

The "Please enable the Kerberos Security Support Provider (SSP)" error indicates the wrong protocol was used.

Endpoints

AD, Azure, and F5
Note: Others may work but have not been tested

Server configuration

Define the appropriate SPN for the account which Noodle is using to bind to LDAP using one of the 4 options;

  • Within the AD Users and Groups snap-in Navigate to Noodle’s service (admin) account and set the follow attribute:
    • servicePrincipalName = HTTP/%noodle.domain.tld
  • This may also be set via command line:
    • setspn -U -S HTTP/%noodle.domain.tld %service_account
  • For Windows server 2008R2 or older command line instead use
    • setspn -A HTTP/%noodle.domain.tld@DOMAIN.TLD %service_account
  • For AES instead of RC4
    • ktpass -out noodle.keytab -mapUser NoodleServiceAccount@%DOMAIN.TLD -pass  %NoodleServiceAccountPassword -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/%my.noodle.tld@%DOMAIN.TLD
    • Check the box "This account supports Kerberos AES 256 bit encryption" in the NoodleServiceAccount user.

Note:

  • Logins from the AD Kerberos Server itself are not supported because Windows will attempt NTLM.
  • Using an IP in place pf a domain name is not supported because Windows will attempt NTLM.
  • For local installs, non-primary domains can be used with IWA by placing “IgnoreIWADomain = true” into noodle.properties
  • Use an A record in the DNS, CNAMEs will break Kerberos
    • check with
      • nslookup domain.intra.net
    • workaround with
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149=true
  • Enable NTP services If the Noodle logs contain the following;
    • .intranet,ERROR+ Caused by: KrbException: Clock skew too great (37)

Browser configuration

The next step in enabling IWA requires browser configurations to attempt authentication with the Noodle intranet website.

Once the configuration is in place users will need to access Noodle via the SPNEGO.po URL (ie. https://yourNoodle.tld/SPNEGO.po).

The following section of this guide explains this process.

Microsoft Internet Explorer & Google Chrome

Both of these browsers are configured with Microsoft Internet Explorer in "Tools > Internet Options > Security > Local intranet". 

Note:  If a non-default level is in use be sure “Automatic logon only in Intranet zone” is selected in "the Custom Level".

Next we will need to add the URL of your Noodle instance in "Sites > Advanced".

Mozilla Firefox

Enter “about:config” in the address bar, press “Enter”, and click “I Accept the Risk” when prompted.

Next, search for “auth.trusted”, enter your Noodle URL in the attribute entitled “network.negotiate-auth.trusted-uris” and select OK.

At this point IWA should be fully operational for your Noodle Intranet site!