Smart Card Authentication to Author

Forum|Forum|9 years ago
March 17, 2016
5 replies
1526 views

We are migrating a site from CQ 5.5 to AEM 6.1 and the site uses smart card authentication for the authors. I can't seem to get this functionality working on the 6.1 site and am not sure where to look to do this sort of authentication. It appears that we're losing the smart card credentials somewhere along the line as I can see the credentials in the 5.5 requests but not in the 6.1 requests. Here are samples from the access.log from each server:

From 5.5 server (where 1234567890 is the smart card Id): 10.2.8.137 - 1234567890 17/Mar/2016:09:47:29 -0400 "GET /libs/cq/core/content/welcome.html HTTP/1.1" 200 7448 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36" 10.2.8.137 - 1234567890 17/Mar/2016:09:47:30 -0400 "GET /libs/cq/core/content/welcome/welcome.css HTTP/1.1" 200 6382 "https://qa-author.history.navy.mil/libs/cq/core/content/welcome.html" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36" 10.2.8.137 - 1234567890 17/Mar/2016:09:47:31 -0400 "GET /etc/clientlibs/foundation/librarymanager.js HTTP/1.1" 200 3094 "https://qa-author.history.navy.mil/libs/cq/core/content/welcome.html" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36" 10.2.8.137 - 1234567890 17/Mar/2016:09:47:32 -0400 "GET /etc/clientlibs/foundation/jquery.js HTTP/1.1" 200 106956 "https://qa-author.history.navy.mil/libs/cq/core/content/welcome.html" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36" 10.2.8.137 - 1234567890 17/Mar/2016:09:47:33 -0400 "GET /etc/clientlibs/foundation/shared.js HTTP/1.1" 200 17802 "https://qa-author.history.navy.mil/libs/cq/core/content/welcome.html" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36" 10.2.8.137 - 1234567890 17/Mar/2016:09:47:34 -0400 "GET /libs/cq/core/content/login/login.js HTTP/1.1" 200 7001 "https://qa-author.history.navy.mil/libs/cq/core/content/welcome.html" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36" 10.2.8.137 - 1234567890 17/Mar/2016:09:47:34 -0400 "GET /libs/cq/security/userinfo.json?cq_ck=1458222440717 HTTP/1.1" 200 1521 "https://qa-author.history.navy.mil/libs/cq/core/content/welcome.html" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36" From 6.1 server 10.2.9.137 - - 17/Mar/2016:09:39:23 -0400 "GET /libs/cq/core/content/welcome.html HTTP/1.1" 302 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Firefox/44.0" 10.2.9.137 - anonymous 17/Mar/2016:09:39:23 -0400 "GET /libs/granite/core/content/login.html?resource=%2Flibs%2Fcq%2Fcore%2Fcontent%2Fwelcome.html&$$login$$=%24%24login%24%24&j_reason=unknown&j_reason_code=unknown HTTP/1.1" 200 14287 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Firefox/44.0" 10.2.9.137 - - 17/Mar/2016:09:39:24 -0400 "GET /etc/clientlibs/granite/coralui2.css HTTP/1.1" 403 23 "https://qa-author.history.navy.mil/libs/granite/core/content/login.html?resource=%2Flibs%2Fcq%2Fcore%2Fcontent%2Fwelcome.html&$$login$$=%24%24login%24%24&j_reason=unknown&j_reason_code=unknown" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Firefox/44.0" 10.2.9.137 - anonymous 17/Mar/2016:09:39:24 -0400 "GET /libs/granite/core/content/login/favicon.ico HTTP/1.1" 304 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Firefox/44.0" 10.2.9.137 - - 17/Mar/2016:09:39:25 -0400 "GET /etc/clientlibs/granite/jquery.js HTTP/1.1" 403 23 "https://qa-author.history.navy.mil/libs/granite/core/content/login.html?resource=%2Flibs%2Fcq%2Fcore%2Fcontent%2Fwelcome.html&$$login$$=%24%24login%24%24&j_reason=unknown&j_reason_code=unknown" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Firefox/44.0" 10.2.9.137 - - 17/Mar/2016:09:39:26 -0400 "GET /etc/clientlibs/granite/typekit.js HTTP/1.1" 403 23 "https://qa-author.history.navy.mil/libs/granite/core/content/login.html?resource=%2Flibs%2Fcq%2Fcore%2Fcontent%2Fwelcome.html&$$login$$=%24%24login%24%24&j_reason=unknown&j_reason_code=unknown" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Firefox/44.0" 10.2.9.137 - anonymous 17/Mar/2016:09:39:27 -0400 "GET /libs/granite/core/content/login/clientlib.js HTTP/1.1" 200 4024 "https://qa-author.history.navy.mil/libs/granite/core/content/login.html?resource=%2Flibs%2Fcq%2Fcore%2Fcontent%2Fwelcome.html&$$login$$=%24%24login%24%24&j_reason=unknown&j_reason_code=unknown" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Firefox/44.0" 10.2.9.137 - anonymous 17/Mar/2016:09:39:31 -0400 "GET /libs/granite/core/content/login/clientlib/resources/bg/default/1280x768.jpg HTTP/1.1" 304 - "https://qa-author.history.navy.mil/libs/granite/core/content/login.html?resource=%2Flibs%2Fcq%2Fcore%2Fcontent%2Fwelcome.html&$$login$$=%24%24login%24%24&j_reason=unknown&j_reason_code=unknown" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Firefox/44.0" 10.2.9.137 - anonymous 17/Mar/2016:09:39:31 -0400 "GET /libs/granite/core/content/login/clientlib/resources/adobe-logo.png HTTP/1.1" 304 - "https://qa-author.history.navy.mil/libs/granite/core/content/login.html?resource=%2Flibs%2Fcq%2Fcore%2Fcontent%2Fwelcome.html&$$login$$=%24%24login%24%24&j_reason=unknown&j_reason_code=unknown" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Firefox/44.0"

Note that the smart card Id does not show up in the logged requests in 6.1.

We are using LDAP to verify the credentials and the connection to LDAP is working in 6.1 when credentials are entered from the login screen. Has anyone implemented smart card authentication in AEM 6.1? Any tips or direction would be greatly appreciated!

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by randyn0611

The problem was indeed the SSO configuration. Once I had correctly configured both SSO and LDAP, the smart card authentication worked as expected.

smacdonald2008

Level 10

Never heard of AEM supporting this. I would recommend opening a suport ticket for a feature request.

R

randyn0611Author

Level 3

I suspect the issue is with SSO configuration. We have the Day CQ SSO Authentication Handler configured in CQ 5.5 instance and it migrated over but it doesn't appear that AEM 6.1 is picking that up as an authentication handler so I'm assuming that it was superseded by the Granite SSO Authentication Handler? I'll try configuring that to see if it resolves the problem.

O

ogill

Adobe Employee

Hi,

did you have a custom login module in 5.5? [0]

Regards,

Opkar

[0]https://docs.adobe.com/docs/en/aem/6-1/deploy/upgrade.html

R

randyn0611Author

Level 3

I don't believe there was a custom login module based on what I see in the repository.xml file. Here's the content of the <Security> element and there's no <LoginModule> defined:

<Security appName="com.day.crx"> <!-- security manager: class: FQN of class implementing the JackrabbitSecurityManager interface --> <!--SecurityManager class="com.day.crx.core.CRXSecurityManager" workspaceName="" --> <SecurityManager class="com.day.crx.core.CRXSecurityManager"> <!-- optional user manager configuration --> <UserManager class="org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserManager"> <param name="usersPath" value="/home/users"/> <param name="groupsPath" value="/home/groups"/> <param name="defaultDepth" value="1"/> <param name="autoExpandTree" value="true"/> <AuthorizableAction class="org.apache.jackrabbit.core.security.user.action.AccessControlAction"> <param name="groupPrivilegeNames" value="jcr:read"/> <param name="userPrivilegeNames" value="jcr:all"/> </AuthorizableAction> <!--AuthorizableAction class="com.day.crx.core.ntlm.NTLMAuthorizableAction"/>--> </UserManager> <!-- optional workspace access manager configuration --> </SecurityManager> <!-- access manager: class: FQN of class implementing the AccessManager interface --> <AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager"></AccessManager> <!-- Use LoginModule authenticating against repository itself --> <!-- <LoginModule class="com.day.crx.core.CRXLoginModule"> <param name="anonymousId" value="anonymous"/> <param name="adminId" value="admin"/> <param name="disableNTLMAuth" value="true"/> <param name="tokenExpiration" value="43200000"/> <param name="trust_credentials_attribute" value="d5b9167e95dad6e7d3b5d6fa8df48af8"/> </LoginModule> --> </Security>

I was not here when the original smart card authentication was implemented and those that did the implementation did not leave documentation behind describing what they did.

R

randyn0611AuthorAccepted solution

Level 3

The problem was indeed the SSO configuration. Once I had correctly configured both SSO and LDAP, the smart card authentication worked as expected.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded