MiniOrange collaborated with a financial institution to implement a solution that would enable users present in the Windows Active Directory to auto-login to their Drupal site using Kerberos authentication. The aim was to enhance the user experience by removing the need for repeated login authentication and to improve the site's security by leveraging the robustness of the Kerberos authentication mechanism.
(For the sake of integrity and security, the name of the financial institution is not revealed. Nonetheless, the case study details the successful implementation of the solution)
About the project
Requirements
The primary requirement was to enable auto-login functionality for users who have already logged in with their Windows credentials eliminating the need for them to remember additional login credentials. The users should be able to access the designated apps and services without having to individually log in to each of them once they have authenticated themselves with the Windows credentialsThe solution should also provide high-level security and authentication standards ensuring the privacy of their user’s data. Additionally, the solution should integrate smoothly with their existing Drupal site.
Challenges
- The main challenge miniOrange faced was implementing the Kerberos authentication mechanism for Drupal. Kerberos is a network authentication protocol that uses cryptography to authenticate users and systems. Implementing this mechanism required a deep understanding of Kerberos and its integration with Drupal.
- Another challenge faced during the implementation was making the Kerberos configurations compatible between the client side which is hosted on a Linux-based server and their Active Directory.
- It had to be ensured that the implementation was secure and that the integration process did not cause any disruption to the client's existing Drupal site.
Implementation
Kerberos is a network authentication protocol that can be used for single sign-on (SSO) to automatically log in users to various services and applications without requiring them to enter their credentials multiple times. It is commonly used to provide secure authentication and authorization for users in a distributed network environment. SPNEGO extends the Kerberos authentication protocol and allows for the negotiation of security mechanisms between a client and server.
For example, once the user has successfully logged in to their organization’s workstation, the user need not be authenticated again while trying to access the organization’s Drupal site.
Kerberos SSO is a ticket-based authentication mechanism used for authentication in Active Directory environments. When a user logs in, the Kerberos server issues a ticket-granting ticket (TGT) or authentication token that is used to authenticate the user. To ensure security, the TGT or authentication token is encrypted, and the user's credentials are never transmitted over the network.
The miniOrange LDAP/Active Directory Integration module provides support for both Kerberos and NTLM SSO authentication mechanisms, allowing users in the Windows Active Directory to auto-login to the Drupal site seamlessly. The module is compatible with all versions of Drupal and provides a user-friendly interface for configuration and management.
During the implementation of our Kerberos auto-login solution, we had to collaborate with multiple teams and configure various components to ensure seamless authentication. Firstly, on the Windows server, we created a Keytab file that contained the necessary cryptographic keys required for secure communication. These cryptographic keys are generated by the Key Distribution Center (KDC) and are stored securely in the Keytab file.
Next, we proceeded to configure the keytab file on the Linux server, where our web server hosting the Drupal site was deployed. The keytab file was transferred to the Linux server and integrated into the Kerberos authentication process. This configuration step enabled the Linux server to authenticate users using the Kerberos protocol and verify their credentials against the Windows Active Directory.
Collaboration was crucial in making the necessary configurations on both the Windows Active Directory and the Linux server. We worked closely with the Windows Active Directory team to ensure that the appropriate settings were in place to support Kerberos authentication. This involved configuring the Active Directory realm, defining the service principal name, and establishing trust between the Linux server and the Active Directory domain.
To integrate the Kerberos authentication with our Drupal site, we leveraged the miniOrange LDAP/AD Integration module. This module provided the necessary functionality to connect our Drupal site with the Windows Active Directory and LDAP services. We configured the module to communicate with the Active Directory server, allowing seamless user authentication and authorization using the Kerberos protocol.
Overall, the implementation process involved close collaboration with different teams, including the Windows Active Directory team, Linux server administrators, and Drupal developers. By establishing the required configurations and integrating the necessary components, we successfully deployed a Kerberos auto-login solution that enhanced security and streamlined the authentication experience for our users.
Results
The implementation of the Kerberos or NTLM SSO authentication mechanism has provided several benefits to the client. Windows Active Directory users were able to auto-login to the Drupal site and access resources after having logged in to their workstations with their Windows credentials, enhancing the user experience. This solution not only improved user experience but also eased out user management for the customer, as users are now easily able to access all the applications they are allowed access to.
Moreover, the Kerberos or NTLM SSO authentication mechanism has effectively eliminated the possibility of unauthorized access to applications and sites. By leveraging robust security and authentication standards, the mechanism ensures that users can only access the designated accounts and applications they are authorized for. This eliminates the risk of individuals accessing unauthorized apps and sites, enhancing overall data security and mitigating the potential for data breaches.
Overall, the implementation of the solution has significantly enhanced the user experience, streamlined user management, and reinforced the security and integrity of the client's Drupal site. The solution's ability to provide seamless access to authorized applications and prevent unauthorized access has resulted in improved efficiency and strengthened data protection for the client's systems.
Conclusion
The successful implementation of the Kerberos SSO authentication mechanism with Drupal has provided the financial institution with a highly secure and user-friendly solution that enhances the user experience and protects against security threats. The collaboration between MiniOrange and the financial institution has resulted in a highly successful project that demonstrates the effectiveness of using the miniOrange LDAP/Active Directory Integration module in conjunction with complex authentication mechanisms such as Kerberos or NTLM SSO. The miniOrange LDAP/Active Directory Integration module has proven to be a valuable addition to the client's Drupal site, providing seamless integration and improving the overall user experience.
Why Drupal was chosen
- Drupal was chosen for its extensibility, flexibility, and robust security features.
- Drupal is a highly customizable CMS that provides a vast array of modules and APIs, making it easier to integrate with various technologies and systems.
- Additionally, Drupal is known for its excellent security features, making it a natural choice for a project that requires high-level security and authentication standards.
Technical Specifications
Drupal version:
Key modules/theme/distribution used:
