EN - CSSR016 AC - LDAP Kerberos CAS SAML Authentification

CSSR016_AC_EN_Authentifi
Setting up LDAP/KERBEROS/CAS/SAML
cation_LDAP_Kerberos_CAS
_SAML.docx authentication in Kelio
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
CS 40211 | Boulevard du Cormier Last updated: 04/02/2021
49302 CHOLET Cedex | FRANCE
SETTING UP
LDAP/KERBEROS/CAS/SAML
AUTHENTICATION
IN KELIO
Index Date Comments Author

AC 18/11/2020 Addition of link to Azure conf doc ABEL
AB 09/11/2020 Reference AUTO_SAML_JKS script JCO
AA 16/10/2020 Addition of LDAP error JCO
Z 04/02/2020 Addition of LDAP error JCO
Y 20/11/2019 Addition of Kerberos error scenario VTA
X 05/11/2019 Correction of SAML configuration page ABEL
W 18/07/2019 Validation EMA
V 17/07/2019 Addition of SAML explanations MJ
U 18/12/2018 Formatted document OV
T 14/12/2018 Added G Suite SAML screenshots JCO
S 11/09/2018 Added a Kerberos issue with Chrome JCO
R 29/06/2018 Added a screenshot for Azure JCO
Q 11/05/2018 Updated screenshots and added a Kerberos error JCO
scenario
O 05/04/2018 Integrated stylistic changes by P. Lahalle EMA
N 12/02/2018 Addition of a Kerberos error scenario JCO
M 29/01/2018 Addition of SAML IdP + correction of links JCO
L 23/01/2018 Modification page 45 ABEL
K 23/10/2017 Rereading/correction/validation EMA
J 22/08/2017 Updating of tools + SAML, deletion of NTLM JCO
I 18/08/2016 Logo updated EMA
H 04/08/2016 Document name changed EMA
G 04/08/2016 Style modification for Trados EMA
F 04/11/2015 Example of LDAP configuration and reformatting VM
E 22/05/2014 Addition of CAS authentication VM
D 28/08/2013 Correction error on kvno parameter VM
C 01/08/2013 Addition of LDAPS VM
B 29/03/2012 Replacement of NTLM by Kerberos VM
A 04/02/2011 Creation VM
This document is the exclusive property of Bodet Software. All communication, reproduction and use is prohibited without prior written authorisation from Bodet Software.
Page 1/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
TABLE OF CONTENTS
1 PREREQUISITES 5
2 USING THE LDAP PROTOCOL 6
Compulsory parameters 7
Pre-set parameters 8
LDAPS 9
2.3.1 Importing the certificate in the JRE server 9
2.3.2 Setup in Kelio 12
Specific case: directory partitioning 12
2.4.1 The LDAP directory is an Active Directory 12
2.4.2 Other directory types 13
Optional parameters: filtering on a security group 14
Setup help 16
2.6.1 Bodet Support ToolBox tools 16
2.6.2 Example of setup 18
2.6.3 Directory explorers 19
Configuration test without filter on membership of the BODET role 21
2.7.1 Correct Setting 23
2.7.2 The DN entered in the configuration is wrong (error code 49). 23
2.7.3 User not found 24
2.7.4 URL and login are OK but password is incorrect (bad credentials) 24
2.7.5 SSL Error if LDAPS (SSLHandshakeException) 25
2.7.6 The LDAPS connection is not activated 26
2.7.7 The LDAP server is taking too long to respond 26
2.7.8 Mandatory LDAPS encryption 26
Configuration test with filter on membership of the BODET role 27
2.8.1 Case 1: correct setup 27
2.8.2 Case 2: User roles not found 27
2.8.3 Error: PartialResultException (unprocessed continuation reference) 28
Behaviour of the Kelio portal 29
3 USING KERBEROS 30
CREATING A DEDICATED KELIO AUTHENTICATION USER 31
CREATING THE MAIN AUTHENTICATION SERVICE 32
3.2.1 Setup help 32
3.2.2 Information on the ktpass command 36
3.2.3 Information on the other parameters of conf.properties 37
KNOWN PROBLEMS 38
3.3.1 Incorrect encrypted key 38
3.3.2 Incorrect keytab file path or keytab generated with an incorrect command 40
3.3.3 Time shift between the client station and the KDC 41
3.3.4 Wrong connection address 41
Page 2/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
3.3.5 Problem with case-sensitivity in the login 41
3.3.6 Problem configuring the browser 42
3.3.7 Problem of SPN duplicate 43
3.3.8 Problem of truncated Kerberos token 44
3.3.9 RC4-HMAC-NT 44
3.3.10 CNAME resolving issue with Chrome 69 45
3.3.11 Problem generating the keytab: “aborted” 46
4 AUTHENTICATION FROM A CAS SERVER 47
SETUP IN KELIO 48
Compulsory parameters for authentication 48
Optional parameters used to customise the authentication 49
KNOWN PROBLEMS 50
4.4.1 Authentication cohabitation 50
4.4.2 Problem with case-sensitivity in the login 50
4.4.3 SSL error when accessing the CAS server 50
5 AUTHENTICATION USING THE SAML PROTOCOL 51
Introduction 51
5.1.1 The principle of identity federation 51
5.1.2 Propagation protocols and identity federation 52
5.1.3 Using SAML with Kelio 53
Retrieval of the Metadata from the IdP 53
Setup in Kelio 54
Retrieval of the SP metadata (Kelio) 56
Client workstation setup 56
Connection test 56
Some setup examples 57
5.7.1 IdP Jumpcloud 57
5.7.2 IdP Sign-and-Go 58
5.7.3 IdP ADFS 59
5.7.4 G Suite (Google) 60
5.7.5 Azure 61
Examples of IdP configuration 62
5.8.1 ADFS 62
5.8.2 OKTA 67
5.8.3 Azure 68
5.8.4 G Suite (Google) 68
Errors encountered 73
5.9.1 Entered attribute not present in the assertion 73
5.9.2 OneTimeUse 73
5.9.3 Authentication pop-up on Java modules 73
5.9.4 Response issue time is either too old 73
Page 3/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Subject:
This document presents all of the authentication modes available in Kelio.
We use two types of Kelio platform. In the interests of simplification, these are referred to in abbreviated
form as follows:
- KPIO: Kelio Prima, Integral, Optima
- KOPPP: Kelio One, Pro, Pro Plus
Currently (October 2017), there are four authentication modes available

1- Manual authentication with the LDAP protocol (KPIO >=9.2 and all KOPPP versions)
2- Kerberos automatic authentication (KPIO >=9.2 and all KOPPP versions)
3- CAS authentication (KPIO
>=14.5B4 and all KOPPP versions)
4- SAML authentication (not available for KPIO and KOPPP >=2.2)
Implementation of these authentications does not depend on any option in the certificate, it is available on
all versions of the Kelio solutions.
When updating from V9, if NTLM was used, you must change the setup to Kerberos
authentication, because migration from NTLM to Kerberos is not possible.
Lightweight Directory Access Protocol (LDAP) is a protocol that allows directory services to be accessed
and changed. This protocol is based on TCP/IP. It has evolved to represent a standard for directory systems,
including a data model, a naming model, an operational model based on the LDAP protocol, a security
model and a replication model (source: Wikipedia).
Kerberos is a network authentication protocol which is based on a secret key mechanism (symmetrical
encryption) and the use of tickets rather than plain-text passwords, thereby avoiding the risk of fraudulent
interception of user passwords. (source wikipedia).
Central Authentication Service (CAS) is an authentication system which was originally created by Yale
University to provide applications with a reliable way to authenticate users. A user is authenticated on a
single Website and is then authenticated on all the Websites that use the same CAS server. It avoids the
need for users to authenticate themselves each time they access an application by implementing a ticket
system (source: Wikipedia).
Security assertion markup language (SAML) is an IT standard defining a protocol for exchanging
information relating to security. Based on the XML language, SAML was developed by OASIS. SAML offers
single sign-on (SSO) authentication on the web. A user can therefore browse several different sites, only
signing on once, without the need for all of these sites to have access to highly confidential information.
(source: Wikipedia)
Page 4/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
1 PREREQUISITES
Before anything else, the required authentication mode must be determined in conjunction with the
customer:
- Either an SSO automatic authentication with Kerberos
- Or a manual mode where the user must enter their identifiers.
- Or a Web SSO authentication from a CAS server
- Or a Web SSO authentication with the SAML protocol
These different modes may be combined: If Kerberos and CAS are put in place on Kelio at the same time
-which has no sense in technical terms- Kerberos authentication will take priority.
If the customer wants Kerberos authentication, it is best to activate LDAP in parallel. In fact, if the user
wishes to connect to Kelio during a Windows session which is not their own, or if for any reason the SSO
authentication does not work, it is still possible to be authenticated using LDAP with the user's Windows
password. In addition, SSO authentication may inherit an option from the LDAP mode: the access filter on
membership of a role. However, if the customer only wants LDAP, there is no need to configure SSO.
With the four authentication modes, the Kelio login must correspond to the session opening account for
Kerberos/LDAP or the authentication attribute on the CAS or the SAML.
The user logins in Kelio may be updated using the V2 employee import, data exchange module user data
or simply by hand.
V2 employee import is not detailed in this document. However, to try to make the task easier, information
such as the DN, givenName, etc. may be exported from an Active Directory.
To do this, the following command must be launched:
csvde -f adusers.csv -r objectcategory=person -l "givenName,sn,sAMAccountName"
The adusers.csv file obtained on output is not formatted in relation to the file format expected by the V2
employee import, but this is already a first working base.
The login in Kelio is case-sensitive as the database is configured as ‘case sensitive’ by default.
Care must be taken when importing or manually entering logins or the authentication will return
an error.
This is valid for all authentication modes. This anomaly is recorded in the fileANO-27139:
LDAP/KERBEROS: Do not set as case sensitive.
Page 5/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
2 USING THE LDAP PROTOCOL

An LDAP directory is a tree structure made up of entries which are themselves made up of a set of attributes.
Each entry has a unique identifier, the Distinguished Name (DN), which represents the entry name in the
form of the access path to it from the top of the tree.
The naming of the items making up the tree often reflects the political, geographical or organisational model
of the structure represented. The current trend is to use DNS naming for the basic items of the directory
(root and initial branches: domain components or dc=…). The deeper branches in the directory can
represent organisational units or groups (organisational units: or), persons (common name: cn), or a user
identifier (uid).
dc=bod
|
dc=cholet
/ \
ou=assistance ou=test_GTP
|
cn=techsac
Kelio can synchronise with any directory that supports LDAP-format queries: Microsoft Active Directory, AD
LDS (Active Directory Light), OpenLDAP, Mac, Novell, etc.
Kelio will check in the directory whether the identification checks entered on the Kelio portal are correct
before granting access to the application.
The user must therefore enter their login and password - there is no automatic authentication.
The set up and activation of this interface is carried out in the Conf.properties of the supervisor module. The
corresponding settings can be found in the LDAP section.
Page 6/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Compulsory parameters
Amongst all of these possible settings, we will see those that are needed for activating the interface, those
which are pre-configured to respond to a maximum of configurations and finally those which are optional in
relation to customer expectations.
The LDAP URLs enable the Web clients to have direct access to the LDAP protocol. They represent a
simple method for pointing to a directory, or even a part of a directory. They have the advantage of not
requiring any knowledge of programming.
The syntax of a URL is: ldap[s]://<hostname>:<port>/<base_dn> :

- <hostname> : Server address
- <port> : TCP port of the connection; by default this is port 389
- <base_dn> : Distinguished Name of the entry which is the starting point for the search.
Several LDAP URLs can be managed; this will be used in the case of a replicated directory. To do so, the
entries must be separated by a space, the only condition, and the base_dn must be common to all the URLs
entered.
Different LDAP directories cannot be accessed.
It is the Distinguished Name and the password for a user account that has the right to connect to the
directory.
A read-only account is sufficient since we are not going to write to or change anything in the directory but
simply compare the information entered on the Kelio portal with that contained in the directory.
This account must not have a password expiration policy.
If the directory accepts the anonymous connections, these two parameters are no longer compulsory.
This parameter is used to activate the LDAP authentication. The default value is FALSE, and LDAP
authentication is not active. To activate it, change the value to TRUE.
Tomcat must be re-booted to take this setting into account.
Before rebooting, it is possible to check that the preceding entries have been correctly set up by using the
LDAP test available in the supervisor module.
Page 7/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Pre-set parameters
These settings are already configured in order to respond to the maximum number of client configurations.
They correspond to the configuration for an Active Directory.
The ldap.userSearch setting contains the user search filter from the directory root.
Object classes model real or abstract objects by characterising them according to a list of optional or
compulsory attributes.
The default value (‘samaccountname’ attribute of the 'user' object class) is valid for a search in an Active
Directory as the user logins are stored in the samaccountname attribute.
In the case of a non-Active Directory, the object class and attribute used must be modified as a result. The
simplest way to find out which attribute to use is to connect with a Jxplorer type LDAP explorer and look at
the existing attributes.
See Setup Help: Directory explorers..
The ldap.userDnPatterns setting contains the user search structure from the directory root.
This setting allows a connection to be made with the directory in order to authenticate the user. This
functionality is only possible if the directory is made up in such a way that the users' Distinguished Name
contains the login.
This is not true in the majority of cases. For example, if user John SMITH has the login jsmith and his DN
is "CN=Smith John ,OU=BE_GTP,OU=CHOLET,DC=CHOLET,DC=BOD" then this login will not be
possible.
When it is not possible to log in (as in almost 100% of cases), authentication will take place via a specified
search using the previous parameter: ldap.userSearch. The ldap.userDnPatterns parameter may then
be empty, thus avoiding attempts to connect for no reason.
Page 8/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
LDAPS
It is possible to have a secured URL for the authentication using an LDAPS protocol (LDAP over TLS). The
standard TCP port for LDAPS is 636.
Prerequisite: The customer must set up the LDAP directory to enable LDAPS connections and must provide
the SSL certificate derived from the ‘DomainController’ (for an AD) model used to authenticate the client
and server.
2.3.1 Importing the certificate in the JRE server

As in all Exchange synchronisations that use SSL, the certificate provided by the customer must be imported
in the keystore of the JRE server if it is self-signed or signed by a non-public authority.
Portecle is a tool developed in Java (http://portecle.sourceforge.net) which, among other things, allows
certificates to be imported into a keystore.
Run the tool using portecle.jar (autoexecutable file). Under Windows 7, Vista, 2008 and 2008 R2, it must
be run from a "run as administrator" command prompt.
1 – File > Open Keystore File 2 – Select the cacerts file in

.\BODET\Open\BodetJRE\lib\security
3 – Saisir le mot de passe : changeit 4 – Tools => Import Trusted Certificate

Choose the certificate to be imported (cer)
Page 9/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
5 – Validate the message 6 – View the contents of the certificate
7 – Accept the certificate 8 – Validate the alias name
9 – Save the changes
Page 10/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
10 – Restart Tomcat
Given the cumbersome nature of the operation, you are strongly advised to save the certificate
and the keystore after the authentication has been carried out.
In KPIO, not all of these changes are kept during a software update or reinstallation. The
keystore (cacerts file) ‘emptied’ by the installation must therefore be replaced by this backup to
restore the functionality of this service without delay.
Page 11/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
2.3.2 Setup in Kelio
The URL is configured by simply specifying the LDAPS and port 636 (by default). All the other settings are
the same between LDAP and LDAPS.
Example: ldaps://localhost:636/dc=myCompany,dc=com
Specific case: directory partitioning
Partitioning consists of breaking up the directory data over several servers.

It may be imposed by:
- the volume of entries to be managed
- their management which is spread over several sites
- the types of access to the physical network
- the company's organisational methods
In this case, a user x will not necessarily be known on all servers.

2.4.1 The LDAP directory is an Active Directory
Each controller contains a complete copy of its domain partition but does not have other domain partitions
from the forest.
For this reason, objects which belong to its domain can easily be found but objects from another domain
cannot be located.
The global catalogue has a copy of the main attributes of all objects present in the forest. It therefore makes
it possible to search the whole of the forest.
A global catalogue is, quite simply, a functional feature which must be activated on a domain controller. By
default, a forest's first domain controller is promoted as a global catalogue.
Queries at global catalogue level are LDAP type and are carried out on port 3268.
Example of a possible setup: ldap://172.16.20.18:3268/dc=BOD
This is the case in the Bodet group - the setup is based on the global catalogue of the forest called 'BOD'.
Page 12/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
2.4.2 Other directory types
The Referral concept exists if a directory is partitioned. This is a piece of information returned to the client
by the LDAP server when the entry searched for does not belong to its tree structure, indicating to which
server it must redirect its reformulated query. This enables links to be made between several directories.
This concept is not operational when the LDAP directory is an Active Directory and the service is not
required to be in place in other types of LDAP directory.
The ldap.referral parameter enables a server to pass on user requests when the searched for object does
not belong to the tree that it manages.
The default value is empty; it may take one of the following values:
- follow: automatically follow the referral.
- ignore: ignore the information provided by the referral. This mode is not supported by all LDAP
servers (for example, ADs).
- throw: means that the information provided by the referral must be rejected.
Active Directory servers typically have a problem with referrals. Normally, a referral should be followed
automatically, but that does not seem to work with Active Directory servers.
The problem manifests itself by a 'PartialResultException' type message when a referral is encountered by
the server.
Supplying the value "true" for this parameter allows the problem to be bypassed by ignoring the exception.
Page 13/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Optional parameters: filtering on a security group
It is possible to add an extra filter that is managed by the LDAP directory: membership of a role. This filter
complements the Kelio rights manager.
It should only be used in large organisations who want to catalogue access to applications without going
into the operation of the applications. The user must be a member of the referenced role in order for access
to be authorised, then Kelio rights will be checked.
The following settings are all needed for the filter to operate.
Allows the filter to be activated when the user belongs to a role. To do so, set the value to TRUE.
The open.userRole parameter contains the name of the role used for this filter: default value: BODET
Users are attributed with roles from the groups of which they are members.
The role is made up in the following way: "ROLE_" + value of the attribute specified in:
The parameter "ldap.groupRoleAttribute" contains the identifier of the attribute containing the name of the
role for a group. The default value "cn" corresponds to an Active Directory
Example: the directory contains the following groups:
objectClass = group
cn = BE Software
member = CN=Bond James,OU=BE_GTP,OU=CHOLET,DC=CHOLET,DC=BOD
member = CN=Drouard Aurelien,OU=BE_GTP,OU=CHOLET,DC=CHOLET,DC=BOD
member = CN=Smith John ,OU=BE_GTP,OU=CHOLET,DC=CHOLET,DC=BOD
objectClass = group
cn = Test
member = CN=Durand Jacques,OU=BE_GTP,OU=CHOLET,DC=CHOLET,DC=BOD
We may then determine that:

- Drouard Aurelien and Smith John: ROLE_BE Software
- Bond James: ROLE_BE Software, ROLE_Test
- Durand Jacques: ROLE_Test
So if the open.userRole parameter contains the value "BE Software", then only the users Bond James,
Drouard Aurelien and Smith John will be able to connect to Kelio.
Page 14/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
The ldap.groupSearchBase setting is used to specify the location from where the role search must be
carried out.
The property must be relative to the base_dn specified in the LDAP URL.
If the value is blank, the search is carried out from the root of the directory. It is wise to complete this setting
when dealing with a complex directory, in order to avoid running through the whole directory on each Kelio
user connection.
The ldap.searchSubtree setting allows it to be specified if the role search must be carried out in the entire
directory sub-tree from the node specified by the preceding setting (ldap.groupSearchBase).
If this setting contains FALSE, the search is carried out at a single level.
Default value: false
The ldap.groupSearchFilter setting contains the search filter for roles attributed to users.
Default value: (uniqueMember={0})
{0} represents the DN (Distinguished Name) of the user.
Example, the directory contains the following group:
objectClass = group
cn = BE Software
member = CN=Drouard Aurelien,OU=BE_GTP,OU=CHOLET,DC=CHOLET,DC=BOD
member = CN=Smith John ,OU=BE_GTP,OU=CHOLET,DC=CHOLET,DC=BOD
Then the ldap.groupSearchFilter parameter must take the value: (member = {0})
Page 15/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Setup help
2.6.1 Bodet Support ToolBox tools
Generally speaking, it is strongly recommended not to enter parameters manually. This is a source of
errors which can easily be avoided using the right tools.
1. Download the Bodet tech tools at https://release.bodet-software.com/open/Release/Tools/

2. Run this executable file from a session of a user registered in the AD.
If your current account is not in the AD, it is possible to run “as a different user” using the Shift +
right-click combination on the tool:
3. Then simply enter the account of the AD reserved for the Kelio LDAP
Page 16/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
4. Run the LDAP wizard
5. Enter the username and password of the Kelio AD account (this step is not necessary if you have
run the tool using the Kelio AD account).
6. Now simply copy-paste the information ldap.userDn and ldap.url in the conf.properties part of the
supervision module.
7. It is not necessary to modify information “manually”, if you do so, you are probably making a
mistake.
Page 17/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
2.6.2 Example of setup
The screenshots that follow are examples of customer setups. Several setups, according to the type of
directory, are shown. Information specific to customers has been blurred out.
Setup with an Active Directory:
Multiple URLs with identical

DN base
The search pattern is empty so an

unnecessary connection is not made
Setup with an AD LDS
Use of attributes specific to an AD

LDS
Setup with a Mac OS directory service
Use of specific Mac OS attributes for

user searches: uid
Page 18/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Setup with OpenLDAP and membership of a security group
Role search enabled
Parameters linked to role: see 2.5
2.6.3 Directory explorers
There are many directory explorers which will enable the technician to view the directory objects precisely.
In this study, we will use Jxplorer which is an open source Ldap browser developed in Java. The error
messages will be exactly the same as those found in Kelio, which is why this tool has been chosen.
Download Jxplorer from the publisher’s site (http://jxplorer.org/downloads/users.html). The installation can
be carried out on any machine in the network. It is recommended to install it on the Kelio server.
The installation is not detailed as everything is by default.
The following example intentionally uses a non Active Directory LDAP (it is a directory under MAC OS) in
order to view the non AD-oriented attributes.
1 – ‘File’ > ‘Log in’ 2 – Set up the connection
LDAP address and

port
Base_dn from which

the search must be
performed
Anonymous connections are

often accepted, otherwise add a
user and their password
Page 19/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
3 – Connection 4 – Tip to copy the DN
The connection must be

established; we then see the
tree structure for the DN base
to which we are connected.
Tip: Right-clicking on any object
allows you to copy its DN.
5 - Select the user from the tree and go to the "Table Editor" tab
You will note that the

‘samaccountname’ attribute does not
exist in this directory (non Active
Directory).
To search for the user, we will be able
to use the 'uid' attribute of the 'person'
object class instead.
The Idap.userSearch parameter in
Kelio will then take the value
(&(objectclass=person)(uid={0}))
Page 20/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Configuration test without filter on membership of the BODET role
All LDAP error codes are very precisely defined. When an error occurs, you must search for the code
concerned as well as the data code, if there is one.
Error / Data
Error Description
Code
0 LDAP_SUCCESS Indicates the requested client operation completed successfully.
Indicates an internal error. The server is unable to respond with a more specific error and is also
unable to properly respond to a request. It does not indicate that the client has sent an erroneous
1 LDAP_OPERATIONS_ERROR
message. In NDS 8.3x through NDS 7.xx, this was the default error for NDS errors that did not map
to an LDAP error code. To conform to the new LDAP drafts, NDS 8.5 uses 80 (0x50) for such errors.
2 LDAP_PROTOCOL_ERROR Indicates that the server has received an invalid or malformed request from the client.
Indicates that the operation's time limit specified by either the client or the server has been exceeded.
3 LDAP_TIMELIMIT_EXCEEDED
On search operations, incomplete results are returned.
Indicates that in a search operation, the size limit specified by the client or the server has been
4 LDAP_SIZELIMIT_EXCEEDED
exceeded. Incomplete results are returned.
5 LDAP_COMPARE_FALSE Does not indicate an error condition. Indicates that the results of a compare operation are false.
6 LDAP_COMPARE_TRUE Does not indicate an error condition. Indicates that the results of a compare operation are true.
Indicates that during a bind operation the client requested an authentication method not supported
7 LDAP_AUTH_METHOD_NOT_SUPPORTED
by the LDAP server.
Indicates one of the following: In bind requests, the LDAP server accepts only strong authentication.
In a client request, the client requested an operation such as delete that requires strong
8 LDAP_STRONG_AUTH_REQUIRED authentication. In an unsolicited notice of disconnection, the LDAP server discovers the security
protecting the communication between the client and server has unexpectedly failed or been
compromised.
9 Reserved.
Does not indicate an error condition. In LDAPv3, indicates that the server does not hold the target
10 LDAP_REFERRAL
entry of the request, but that the servers in the referral field may.
11 LDAP_ADMINLIMIT_EXCEEDED Indicates that an LDAP server limit set by an administrative authority has been exceeded.
Indicates that the LDAP server was unable to satisfy a request because one or more critical
12 LDAP_UNAVAILABLE_CRITICAL_EXTENSION extensions were not available. Either the server does not support the control or the control is not
appropriate for the operation type.
Indicates that the session is not protected by a protocol such as Transport Layer Security (TLS),
13 LDAP_CONFIDENTIALITY_REQUIRED
which provides session confidentiality.
Does not indicate an error condition, but indicates that the server is ready for the next step in the
14 LDAP_SASL_BIND_IN_PROGRESS
process. The client must send the server the same SASL mechanism to continue the process.
15 Not used.
16 LDAP_NO_SUCH_ATTRIBUTE Indicates that the attribute specified in the modify or compare operation does not exist in the entry.
Indicates that the attribute specified in the modify or add operation does not exist in the LDAP server's
17 LDAP_UNDEFINED_TYPE
schema.
Indicates that the matching rule specified in the search filter does not match a rule defined for the
18 LDAP_INAPPROPRIATE_MATCHING
attribute's syntax.
Indicates that the attribute value specified in a modify, add, or modify DN operation violates
19 LDAP_CONSTRAINT_VIOLATION constraints placed on the attribute. The constraint can be one of size or content (string only, no
binary).
Indicates that the attribute value specified in a modify or add operation already exists as a value for
20 LDAP_TYPE_OR_VALUE_EXISTS
that attribute.
Indicates that the attribute value specified in an add, compare, or modify operation is an unrecognized
21 LDAP_INVALID_SYNTAX
or invalid syntax for the attribute.
22-31 Not used.
Indicates the target object cannot be found. This code is not returned on following operations: Search
32 LDAP_NO_SUCH_OBJECT operations that find the search base but cannot find any entries that match the search filter. Bind
operations.
33 LDAP_ALIAS_PROBLEM Indicates that an error occurred when an alias was dereferenced.
Indicates that the syntax of the DN is incorrect. (If the DN syntax is correct, but the LDAP server's
34 LDAP_INVALID_DN_SYNTAX
structure rules do not permit the operation, the server returns LDAP_UNWILLING_TO_PERFORM.)
Indicates that the specified operation cannot be performed on a leaf entry. (This code is not currently
35 LDAP_IS_LEAF
in the LDAP specifications, but is reserved for this constant.)
Indicates that during a search operation, either the client does not have access rights to read the
36 LDAP_ALIAS_DEREF_PROBLEM
aliased object's name or dereferencing is not allowed.
Page 21/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Error / Data
Error Description
Code
37-47 Not used.
Indicates that during a bind operation, the client is attempting to use an authentication method that
the client cannot use correctly. For example, either of the following cause this error: The client returns
48 LDAP_INAPPROPRIATE_AUTH
simple credentials when strong credentials are required...OR...The client returns a DN and a
password for a simple bind when the entry does not have a password defined.
Indicates that during a bind operation one of the following occurred: The client passed either an
49 LDAP_INVALID_CREDENTIALS incorrect DN or password, or the password is incorrect because it has expired, intruder detection has
locked the account, or another similar reason. See the data code for more information.
Indicates an Active Directory (AD) AcceptSecurityContext error, which is returned when the username
49 / 52e AD_INVALID CREDENTIALS is valid but the combination of password and user credential is invalid. This is the AD equivalent of
LDAP error code 49.
Indicates an Active Directory (AD) AcceptSecurityContext data error that is returned when the
49 / 525 USER NOT FOUND
username is invalid.
Indicates an Active Directory (AD) AcceptSecurityContext data error that is logon failure caused
49 / 530 NOT_PERMITTED_TO_LOGON_AT_THIS_TIME because the user is not permitted to log on at this time. Returns only when presented with a valid
username and valid password credential.
Indicates an Active Directory (AD) AcceptSecurityContext data error that is logon failure caused
49 / 531 RESTRICTED_TO_SPECIFIC_MACHINES because the user is not permitted to log on from this computer. Returns only when presented with a
valid username and valid password credential.
Indicates an Active Directory (AD) AcceptSecurityContext data error that is a logon failure. The
49 / 532 PASSWORD_EXPIRED specified account password has expired. Returns only when presented with valid username and
password credential.
Indicates an Active Directory (AD) AcceptSecurityContext data error that is a logon failure. The
49 / 533 ACCOUNT_DISABLED account is currently disabled. Returns only when presented with valid username and password
credential.
Indicates that during a log-on attempt, the user's security context accumulated too many security IDs.
49 / 568 ERROR_TOO_MANY_CONTEXT_IDS This is an issue with the specific LDAP user object/account which should be investigated by the LDAP
administrator.
Indicates an Active Directory (AD) AcceptSecurityContext data error that is a logon failure. The user's
49 / 701 ACCOUNT_EXPIRED
account has expired. Returns only when presented with valid username and password credential.
Indicates an Active Directory (AD) AcceptSecurityContext data error. The user's password must be
49 / 773 USER MUST RESET PASSWORD changed before logging on the first time. Returns only when presented with valid user-name and
password credential.
50 LDAP_INSUFFICIENT_ACCESS Indicates that the caller does not have sufficient rights to perform the requested operation.
Indicates that the LDAP server is too busy to process the client request at this time but if the client
51 LDAP_BUSY
waits and resubmits the request, the server may be able to process it then.
Indicates that the LDAP server cannot process the client's bind request, usually because it is shutting
52 LDAP_UNAVAILABLE
down.
Indicates that the LDAP server cannot process the request because of server-defined restrictions.
This error is returned for the following reasons: The add entry request violates the server's structure
53 LDAP_UNWILLING_TO_PERFORM rules...OR...The modify attribute request specifies attributes that users cannot
modify...OR...Password restrictions prevent the action...OR...Connection restrictions prevent the
action.
Indicates that the client discovered an alias or referral loop, and is thus unable to complete this
54 LDAP_LOOP_DETECT
request.
55-63 Not used.
Indicates that the add or modify DN operation violates the schema's structure rules. For example,
The request places the entry subordinate to an alias. The request places the entry subordinate to a
64 LDAP_NAMING_VIOLATION
container that is forbidden by the containment rules. The RDN for the entry uses a forbidden attribute
type.
Indicates that the add, modify, or modify DN operation violates the object class rules for the entry.
For example, the following types of request return this error:
The add or modify operation tries to add an entry without a value for a required attribute. The add or
65 LDAP_OBJECT_CLASS_VIOLATION
modify operation tries to add an entry with a value for an attribute which the class definition does not
contain. The modify operation tries to remove a required attribute without removing the auxiliary class
that defines the attribute as required.
Indicates that the requested operation is permitted only on leaf entries. For example, the following
types of requests return this error:
66 LDAP_NOT_ALLOWED_ON_NONLEAF
The client requests a delete operation on a parent entry. The client request a modify DN operation
on a parent entry.
Indicates that the modify operation attempted to remove an attribute value that forms the entry's
67 LDAP_NOT_ALLOWED_ON_RDN
relative distinguished name.
Indicates that the add operation attempted to add an entry that already exists, or that the modify
68 LDAP_ALREADY_EXISTS
operation attempted to rename an entry to the name of an entry that already exists.
69 LDAP_NO_OBJECT_CLASS_MODS Indicates that the modify operation attempted to modify the structure rules of an object class.
Page 22/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Error / Data
Error Description
Code
70 LDAP_RESULTS_TOO_LARGE Reserved for CLDAP.
Indicates that the modify DN operation moves the entry from one LDAP server to another and requires
71 LDAP_AFFECTS_MULTIPLE_DSAS
more than one LDAP server.
72-79 Not used.
Indicates an unknown error condition. This is the default value for NDS error codes which do not map
80 LDAP_OTHER
to other LDAP error codes.
2.7.1 Correct Setting
A correctly set up test must display, in green, the DN of the user on whom the test was carried out.
2.7.2 The DN entered in the configuration is wrong (error code 49).
This is the most frequent setup error!

The parameter or password used
to connect is wrong; the connection is rejected by the directory.
Error code 49 must be considered in conjunction with data code 525: user not found.
/ ! \ It is the LDAP.UserDN entered in the setup and not the login entered in the test which is invalid / ! \
Page 23/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Here, the same error code 49 will be considered in conjunction with data code 52e: invalid credentials. The
UserDn has been found but the password entered (that corresponding to the setup and not the test) is
invalid.
2.7.3 User not found
This error may have two different causes:

- The login entered in the test does not exist
- Or the search for the user in the directory is carried out from a DN base which does not contain the
user.
2.7.4 URL and login are OK but password is incorrect (bad credentials)
The message indicates that an incorrect password has been entered for the test.
Page 24/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
2.7.5 SSL Error if LDAPS (SSLHandshakeException)
The SSL certificate has not been imported or is not the right one
Solution: check that the certificate has been imported and that it is the correct certificate.
For an active directory, the certificate is in the certificate management console, in the certificates issued.
The certificate with the "DomainController" template and the client and server authentication roles must be
chosen.
Page 25/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
2.7.6 The LDAPS connection is not activated
The LDAP server is not configured to accept LDAPS requests.
2.7.7 The LDAP server is taking too long to respond
If the LDAP response time is not fast enough, you will receive error 53:
Caused by: org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - No Such Object];

nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object];
remaining name '/'
The timeout cannot be configured in Kelio. Therefore you must find a server “closer” to Kelio.
On the other hand, a “user not found” may appear in time, which does not block access to the code V3.
2.7.8 Mandatory LDAPS encryption
If you receive this error:

[LDAP: error code 8 - 00002028: LdapErr: DSID-0C090257, comment: The server requires binds to turn on
integrity checking if SSL\TLS are not already active on the connection, data 0, v2580]; nested exception is
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-
0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already
active on the connection, data 0, v2580]
This means the client has disabled non-secure binds; you will have to use LDAPS
Page 26/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Configuration test with filter on membership of the BODET role
2.8.1 Case 1: correct setup
DN of the user with the

name of the role
searched for.
List of user roles found:

there is correspondence
2.8.2 Case 2: User roles not found
This error may have two different causes:

1- The parameter is wrong.
The default value (uniqueMember={0}) corresponds to a group whose objectClass is
"groupOfUniqueNames".
A security group has "group" as its objectClass with a directory in Active Directory. In this case, the
value of the attribute is (member={0}).
2- Kelio does not search for the role in the correct directory tree.
By default, Kelio searches for the role in an organisational unit (OU) called groups. .
Depending on the client configuration, change the setting or leave it blank. In the second case, the
search will be carried out from the directory root and the search length will depend on the complexity
of the directory tree.
Page 27/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
2.8.3 Error: PartialResultException (unprocessed continuation reference)
Change the ldap.ignorePartialResultException setting from false to true to ignore this exception. This will
have to be implemented if the LDAP directory is an Active Directory.
Page 28/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Behaviour of the Kelio portal
A standard warning message appears if the identifier and/or the password are incorrect.
When the filter on role is enabled and the credentials entered are correct but the user does not belong to
the BODET role, the message displayed is adapted:
Page 29/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
3 USING KERBEROS
Kerberos authentication is based on an exchange of tickets between three elements: a Kerberos principal,
a resource server and an approved authority (or KDC: Key Distribution Center); together, they form a
Kerberos realm.
In the Kelio case, the resource server corresponds to the Kelio server, the approved authority to the domain
controller and the Kerberos principal to the Kelio client station.
To carry out this configuration, we will use the ‘ktpass’ command which enables non Windows services (i.e.
Tomcat + Spring for authentication) to use the functionalities provided by the KDC.
This command will associate a domain user with the resource server to form a Service Principal Name and
will generate a .keytab file that contains the secret SPN key.
This command is present by default on Windows 2008 and 2008R2 and is one of the support tools for
Windows 2003.
Page 30/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
CREATING A DEDICATED KELIO AUTHENTICATION USER
You must create a dedicated user for this functionality. In fact, this user will be modified in the Active
Directory to make it correspond to an SPN and must not be used for anything else.
By convention, and in order to standardise the installations, create a user called ‘keliohttp’.
For the interface with Exchange or LDAP, you must create another user rather than reuse this
account.
For example, the Windows 2003 user console has screens that are similar to those seen in Windows 2008
and higher.
1 - ‘Administration tools’ > ‘Active Directory users and 2 – Fill in the full name and the session opening name
computers’
New > user
3 – Set a password 4 – There is no obligation to create a mailbox
Do not set the

password to
expire.
Page 31/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
5- Use of the SHA256
CREATING THE MAIN AUTHENTICATION SERVICE

The introduction of the authentication mechanism via Kerberos requires the generation of the keytab file
with the ktpass.exe tool.
This keytab file contains the secret key for the Kerberos service.
3.2.1 Setup help

Generally speaking, it is strongly recommended not to enter parameters manually. This is a source of errors
which can easily be avoided using the right tools.
1. Download the Bodet tech tools at https://release.bodet-software.com/open/Release/Tools/

2. Run the executable file from the Kelio server using an account registered in the AD
3. If your current account is not in the AD, it is possible to run “as a different user” using the Shift +
right-click combination on the tool:
Page 32/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
4. Run the Tools_Assistant_Kerberos
5. If the dedicated user is not keliohttp, enter the correct name
6. Click on Configure, and take the time to read the messages!
By default, it is preferable to leave SHA256, as RC4-HMAC-NT is disabled on recent systems and

rejected in the latest versions of Chrome.
If older workstations require RC4-HMAC-NT, you can deselect this box.
Page 33/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
7. Give the following order to the AD administrator of the client in order for them to generate the
keytab file. Apart from special cases, it is not necessary to modify a parameter manually, if
you have run the help function on the Kelio server, the parameters are correct.
Special case:
If using a web access address other than the FQDN of the Kelio machine (the user enters
http://kelio.client.org:8089 instead of http://vm-xd5879.client.org:8089), there are two solutions:
1) Check that the DNS entry of the second address is of the type CNAME and refers to the
FQDN of the machine, as shown in this screenshot:
2) If the client does not have the DNS to hand and this other address is of the type A (sends an
IP instead of a name), the keytab must be generated, replacing the part between the http/ and
@ with the DNS entry used.
For example,
ktpass /out keliohttp.keytab /princ HTTP/VM-XD5879.CLIENT.ORG@TREM.BOD /mapuser

keliohttp@TREM.BOD /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /pass +rndPass
/kvno 0
Will become
ktpass /out keliohttp.keytab /princ HTTP/KELIO.CLIENT.ORG@TREM.BOD /mapuser
keliohttp@TREM.BOD /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /pass +rndPass
/kvno 0
8. The tool opens the directory entered in the conf.properties of the supervision module, by default, conf. It is
preferable to use this directory since it is not overwritten in the event of an update or reinstallation. Paste the
keytab file provided by the administrator in this directory.
9. Now copy-paste the information provided by the tool in the conf.properties of the supervision module
Page 34/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Be careful not to fall into the trap of (x86) in the keytabLocation, by default, the (x86) is not present, always take
the time to update the fields by copying-pasting.
10. Now restart Tomcat and remain vigilant for any possible alerts in open.log
11. You can perform tests from a station other than the Kelio server. Clients must exit their Windows session
and re-authenticate themselves to update the list of SPNs.
Page 35/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
3.2.2 Information on the ktpass command
Here, for information, are the different parameters of the ktpass command:
/out <FileName> : name of the keytab file created by the command. If the path is not specified, the file will
be created in the current command prompt directory.
Possible value: /out keliohttp.keytab
/princ <PrincipalName> : name of the Kerberos principal service that must be created.
SPN format: « HTTP/<full qualified domain name>@MYDOMAIN.COM ». The full qualified domain name
is composed of the server name followed by the domain, e.g., "kelio-assistance.cholet.bod" and
MYDOMAIN.COM: domain name. Note that this parameter is case-sensitive!
Possible value: HTTP/kelio-assistance.cholet.bod@CHOLET.BOD
/mapuser <UserAccount> : maps the SPN specified by the parameter/princ to this domain account.
Example: keliohttp@CHOLET.BOD
/ptype {KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST} : specifies the type of SPN,

3 possible values:
- KRB5_NT_PRINCIPAL: General SPN (recommended)
- KRB5_NT_SRV_INST: service user instance
- KRB5_NT_SRV_HST: host service instance
/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} : specifies

the encryption used in the keytab file, 6 possible values:
- DES-CBC-CRC: used for compatibility with legacy systems
- DES-CBC-MD5: used for compatibility with legacy systems
- RC4-HMAC-NT: uses 128-bit encryption: Please note, this is disabled when updating to more recent
systems
- AES256-SHA1: uses AES256-CTS-HMAC-SHA1-96 encryption: Preferable
- AES128-SHA1: uses AES128-CTS-HMAC-SHA1-96 encryption
- All: defines that all compatible encryption types may be used
/pass {Password|*|{-|+}rndpass} : specifies the password for the SPN specified by the parameter/princ:
- Password : fixed password to be specified in the command
- *: The password will be requested when the command is run
- +rndpass : use a randomly generated password
Page 36/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
3.2.3 Information on the other parameters of conf.properties
kerberos.stripDomain: the client station will send Kelio the user name in the form user@DOMAIN. This
parameter, which is set to TRUE by default, is used to withdraw the user name's domain presented by the
customer to enter the login in Kelio as 'user' and not ‘user@DOMAIN’.
This parameter enables Kerberos and LDAP to cohabit, but above all enables a simple login to be entered
in Kelio.
kerberos.debug: planned to manage specific logs; however, it has not yet been implemented. This
parameter is not used for the moment.
If the customer also wishes to filter access to Kelio according to whether the user belongs to a role, see the
corresponding setup in the LDAP setup. The two options must be configured at the same time.
Page 37/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
KNOWN PROBLEMS
Once the setup is in place and Tomcat has been restarted, the first tests can be run. The connection URL
will be in the form http://namekelioserver:8089.
Never use the IP address in the connection URL but always the hostname, the FQDN or the alias (see
Special case in 3.2.1.7) of the Kelio server.
The authentication does not function on the server; this is a Kerberos restriction. There is therefore
no need to carry out tests from the Kelio server.
By default, the logs do not trace any connection errors. This error will simply appear in the portal:
For more details, specific traces must be added. The logs will be added to the open.log file. Two entries
must be added:
com.bodet.commun.securite
org.springframework.security.extensions.kerberos
To do so, you must connect to the module Supervision > Traces and follow the procedure below:
Click on New log
Leave as INFO, it's more

than enough
Validate and
Repeat the previous steps, adding
the "org.springframework.security"
Add the logger
"com.bodet.commun.securite"
logger
3.3.1 Incorrect encrypted key
Page 38/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
The same error can result from different issues: the encrypted key in the keytab file does not correspond to
the ticket generated by the KDC.
The main connection error is related to encryption incompatibilities between the client station and the KDC.
The error will be shown in the logs as follows:
Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
a. Wrong ktpass.exe version
Solution: you must use up-to-date versions of ktpass.exe according to the OS used, i.e.:
- For Windows 2003: 5.2.3790.3959 (ktpass.exe file present under c:\program files\support tools)
- For Windows 2008: 6.0.6002.18005 (file present under c:\windows\system32)
- For 2008R2: 6.1.7600.16385 (file present under c:\windows\system32)
For Windows 2003 you must download the latest version of the Tools support from the Microsoft website.
For Windows 2008 and 2008R2 the ktpass command is included by default and its version is related to the
Service Pack installed.
For 2008 it must be in SP2; in addition, Microsoft does not provide any support if SP2 is not installed. For
2008R2 this functions by default (with or without SP1).
In domains that contain many controllers, you must also take account of the SPN replication time. Do not
hesitate to force a replication between the controllers and/or to close and reopen the session on the client
station.
b. Kvno issue
A version number of the password called kvno is also saved in the keytab file. It must correspond to the
version number found in the tickets generated by the KDC.
If the kvno does not have the correct number, for example, if keytab files have already been generated in
accordance with the Kelio server, the authentication will be incorrect.
It is possible to restart kvno numbering from 0 by adding the parameter "/kvno 0" when the keytab is
generated.
c. Modified keliohttp account
When creating the keytab, the section password is modified and the encrypted key in the keytab is a derived
password.
This is why the keliohttp account password must be changed or else the correspondence will be wrong.
Page 39/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
d. Case not respected on the SPN
If the Service Principal Name does not respect the case on the domain as specified during the creation of
the main authentication service, the authentication will fail.
e. Changing Kelio server
When the Kelio server is changed, the keytab will no longer correspond to the new server. The procedure
above must be restarted from the beginning.
Answers to these different problems:
The procedure must be restarted from scratch, i.e.:

- Delete and recreate the keliohttp user
- Use the Ktpass command again to generate a new keytab file after resolving the issue related to it:
 Updating the ktpass.exe
 Force the kvno to 0
 Recreate the user
 Case sensitive
 Restart Tomcat to take account of the new file.
This will be quicker and more effective than trying to revoke the SPN in the domain.
3.3.2 Incorrect keytab file path or keytab generated with an incorrect command
The path and name pre-configured in the supervisor for the keytab file is "c:\program
files\bodet\open\conf\keliohttp.keytab ". Pay attention to customised installations.
If the keytab file has been generated with an incorrect command (wrong case used, domain omitted), Kelio
will not find the key in the corresponding keytab for its kerberos.servicePrincipal.
The error in the log will be:
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos
Key)
or (depending on the versions)
GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot
find key of appropriate type to decrypt AP REP - RC4 with HMAC)
Solution: define a correct path and name for the keytab file.
Delete the user keliohttp and rerun the procedure with the Kerberos configuration wizard.
OR
Check the MaxHttpHeaderSize
Page 40/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
3.3.3 Time shift between the client station and the KDC
Tickets may be exchanged between client stations and the KDC if the time interval between the two is less
than 5 minutes. Beyond this limit, the authentication will be rejected every time.
org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateActi
on.run(SunJaasKerberosTicketValidator.java:136)
... 33 more
Caused by: KrbException: Clock skew too great (37)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:293)
Solution: put reliable schedule synchronisation in place between the different stations in the Kerberos realm.
3.3.4 Wrong connection address
Kerberos authentication requires the client station to connect to the Kelio server with the name used in the
SPN.
Using the IP address in the connection URL will lead to a failure every time. The error will be of the type:
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
Solution: change the URL in the browser
3.3.5 Problem with case-sensitivity in the login
The login field in the database is case-sensitive. Therefore the Kelio user file login must be identical to the
Windows session opening name.
org.springframework.security.core.userdetails.UsernameNotFoundException: User with name TECHSAC

not found
The log will record this difference: here the browser presented Kelio with a user named ‘TECHSAC’. The
login in Kelio must be strictly identical (here in capital letters) for the authentication to work.
Page 41/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
3.3.6 Problem configuring the browser
a. Internet Explorer
Kelio's URL must be in the "local intranet" security zone. This may be done manually on each station or
via a group strategy.
If the URL is in the Internet area, there will be an additional authentication pop-up because the browser will
refuse Windows authentication in an unsecured area (the Internet area!)
The "Activate integrated Windows authentication" security option must be activated.
Chrome inherits settings from Internet Explorer.

b. Firefox
With Firefox, view the Firefox settings by entering about:config in the address bar and add the name of the
Kelio server to the attribute network.negotiate-auth.trusted-uri:
Page 42/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
3.3.7 Problem of SPN duplicate
On an installation which has previously worked, or following several setup attempts, it is possible to have
several AD accounts linked to the Kelio SPN.
The symptom is:
- Sending of non-kerberos tokens (start with TIR instead of YII), whatever the browser, of the type:
DEBUG securite.SpnegoAuthenticationFilter.Received Negotiate Header for request
http://kelio.client.org:8089/open/: Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
Then, using a station connected to the AD, run the following command:
C:\Windows\system32>SetSPN -X
Verification of the domain DC=client,DC=org
Processing of entry 1
HTTP/KELIO.CLIENT.ORG is registered on these accounts:
CN=keliokerb,CN=Users,DC=client,DC=org
CN=keliohttp,OU=Miscellaneous,DC=client,DC=org
1 duplicate SPN group detected.
Then ask the AD administrator to delete the excess account, and run the command again.
If no duplicate is announced, you can check whether the account defined in conf.properties is correctly
used by the Kelio SPN:
C:\Windows\system32>SetSPN -Q HTTP/KELIO.CLIENT.ORG
Verification of the domain DC=duqat,DC=local
CN=keliohttp,CN=Users,DC=client,DC=org
HTTP/KELIO.CLIENT.ORG
Page 43/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
3.3.8 Problem of truncated Kerberos token
Depending on the location in the AD of the account used by the Kerberos and of the user, the size of the
Kerberos token may be considerable.
If you see in the logs:
- a correct address (compliant with the one from the Kelio SPN or an alias which refers to the FQDN), of
the type http://kelio.client.org
- a token of several lines, starting YII
but nonetheless the header is incorrect, increase the maxHttpHeaderSize of the server.xml found in the file
Open _server\conf\server.xml.
OR
GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot
find key of appropriate type to decrypt AP REP - RC4 with HMAC)
For example, go from

maxHttpHeaderSize="8192"
to
maxHttpHeaderSize="16384"
Be careful never to exceed 65535! (we have rarely exceeded 32768).
If the https is enabled, manually add the parameter maxHttpHeaderSize="32768" to the https
connector line, otherwise, the value used will be the default value, 8192. This modification is
overwritten by an update.
3.3.9 RC4-HMAC-NT
For a client with 2 ADs (the main one in 2008 and a secondary one in 2012) the RC4-HMAC-NT was
disabled by a security update, and a keytab generated with a “/crypto all” has not got the kerberos to work.
Caused by: sun.security.krb5.KrbCryptoException: Checksum failed

[…]
at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
at
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:1
00)
To solve this problem, you must:
Page 44/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
1) Generate the keytab with a “/crypto AES256-SHA1”
2) Check “this account handles AES 256-bit encryption via Kerberos” in the properties of the account
used to generate the keytab.
3.3.10 CNAME resolving issue with Chrome 69
[http-nio-8089-exec-7] 2018-09-11 11:10:25,873 WARN securite.SpnegoAuthenticationFilter.Negotiate

Header was invalid: Negotiate YIIISAYGKw[...]owcI
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
Caused by: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level
(Mechanism level: Checksum failed)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
Caused by: KrbException: Checksum failed
Caused by: java.security.GeneralSecurityException: Checksum failed
In normal circumstances, browsers attempt to perform an nslookup to retrieve the full name of the Kelio
SPN server, but this is not the case with this version of Chrome (perhaps it will be corrected?)
For example, if you type http://kelio:8089 in the address bar, Chrome does not perform the nslookup to
retrieve the full name (kelio.entreprise.org).
With Chrome 69, you must therefore use the full name of the SPN (even aliases will not work).
Page 45/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
3.3.11 Problem generating the keytab: “aborted”

ktpass /out keliohttp.keytab /princ HTTP/XXXXXXX@XXXXXX /mapuser keliohttp@XXXXX /ptype
KRB5_NT_PRINCIPAL /crypto AES256
-SHA1 /pass +rndPass /kvno 0
Targeting domain controller: DC1-BEST.best.lu
Using legacy password setting method
Successfully mapped HTTP/XXXXXX to keliohttp.
Aborted.
By replacing the password “+rndPass” in the command line with the current password of the account used,
the command will run correctly.
The account strategy must not authorise passwords with certain characters.
Page 46/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
4 AUTHENTICATION FROM A CAS SERVER

The user authenticates once from their web browser on the CAS server. This authentication then enables
automatic connection to multiple applications in the web browser until it is closed or the user disconnects
from the CAS.
This CAS server manages the authentication itself, for example from an LDAP directory. The whole CAS
configuration is set up by the customer.
Operations between the CAS server, a "CASsified" application (Kelio, in this case) and the client browser
are based on an exchange of tickets and session cookies. Kelio automatically redirects the user to the CAS
authentication page and, once authentication has taken place, CAS sends a ticket + session cookie to Kelio
granting the user access: Kelio then opens automatically.
The Bodet Software consultant's role during commissioning is to enter the different CAS server URLs
provided by the client into Kelio and update the user logins according to the login used on the CAS (same
Page 47/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
as LDAP/Kerberos). Once again, the customer must provide a flat file that can be used by Kelio, containing
the information needed for import into Kelio.
SETUP IN KELIO
As with other authentication processes, the setup is carried out in the Kelio supervisor:
Compulsory parameters for authentication
cas.enableAuthentication: Used to activate the authentication. To do so, set the attribute to TRUE.
cas.serviceUrl: Corresponds to the return url once authentication has been carried out on the CAS (steps
5a and 5b in the previous diagram). You must define an address (DNS input recommended) which will be
used by all of the application's users. The extension will always be /open/j_spring_cas_security_check.
cas.sendRenew: If the CAS server authentication is in SSO, this parameter, when set to "true", forces the
user to re-authenticate him or herself again. By default, this attribute is set to "false". We do not recommend
activating it unless specifically requested by the customer.
cas.artifactParameterName and cas.serviceParameterName: Pre-configured attributes which

correspond to the ticket/server validation URL. Do not modify these attributes unless specifically requested
by the customer.
cas.serveurLoginUrl: CAS server login URL: to be provided by the customer, e.g.
Page 48/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
cas.serveurLogoutUrl: logout URL: to be provided by the customer, e.g.
cas.serveurPrefixUrl: Default CAS server URL, identical to the previous URLs but without the last suffix.
Tomcat must be restarted to activate the authentication.

It must also be restarted if a modification is applied to one of the parameters.
Optional parameters used to customise the authentication
cas.autoRedirectToCasLogout: If activated, automatically redirects the Kelio Exit button to the CAS logout
URL. By default, this parameter is set to "false", since the "best practice" recommended by Spring Security
is to disconnect locally from an application then to leave it up to the user whether to disconnect from their
CAS session or not.
cas.showCasServerLogoutLink: If activated, displays a link to the CAS server logout URL in the footer of
the Kelio logout page (this is the only parameter which does not need Tomcat to be restarted).
Page 49/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
cas.checkCasAvailabilityOnHomepage: If activated, checks the availability of the CAS server and
displays a message if the URL is not available. This situation must not occur on customers' systems: Since
this is a strategic server, it is usually always backed up to avoid an SPOF (Single Point of Failure). The
default value is set to "false".
KNOWN PROBLEMS
4.4.1 Authentication cohabitation
CAS and Kerberos and/or LDAP authentications cannot coexist. Only LDAP and Kerberos may be activated
at the same time.
4.4.2 Problem with case-sensitivity in the login
As for the other authentication modes, the login entered in Kelio must be strictly identical to the one used
to authenticate on the CAS session.
4.4.3 SSL error when accessing the CAS server
The following type of error occurs following redirection from the CAS server to the Kelio server:
[http-443-1] 2014-03-06 16:14:41,134 ERROR

util.CommonUtils.sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to
requested target
Explanation: The CAS server entered in Kelio uses an HTTPS connector with a self-signed certificate or a
certificate signed by a customer's internal authority; Tomcat cannot validate it.
Solution: import the certificate or the authority which signed the certificate into the JRE server keystore, as
in the procedure for the LDAPS.
Page 50/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
5 AUTHENTICATION USING THE SAML PROTOCOL

Introduction
These days, we constantly need to authenticate ourselves and enter a different password for each
application or service, whether for professional or personal use – on the Internet, for example. Identity
federation provides an effective solution to these “security hassles” by propagating authentication
transparently between applications.
5.1.1 The principle of identity federation
As we have seen, a person (human being) theoretically has a unique electronic identity for each ecosystem
(workplace, home, etc.). It is usually a code or a key that allows the user to be uniquely identified: Bob,
MaxL456, User-145, etc.
For each application, we usually have a personal code, the identifier, that may or may not be the same as
the identity. Combined with a password or other challenge such as biometrics, for example, the identifier
allows this identity to be authenticated.
As mentioned in the introduction, the problem we encounter is the multitude of authentications required in
order to access all the different applications. We end up having to amass data about our identity and, on
top of that, an identifier and password for each application.
On the Internet and in the professional world, this explosion in the number of authentications is a real
problem that often leads to inappropriate user behaviour, such as using the same password for all our
applications or creating password files. This is where identity federation comes in. The idea behind it
is to use a single authentication and then propagate this data to other applications in order to avoid
having to re-enter the logins and passwords each time.
Page 51/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
So after the first successful authentication, a trust system (protocol) is established that informs the other
applications of your identity and that the authentication is valid because it has already been verified. The
Single Sign-On (SSO) is a classic example of how this works. It grants you direct access to your email, for
example, just by having entered your Windows identifier and password.
5.1.2 Propagation protocols and identity federation
The main federation system these days is Security assertion markup language (SAML), an IT standard
defining a protocol for exchanging authentication data and preventing these websites or applications from
accessing highly sensitive data.
SAML 2.0 is an XML-based standard that formalises the semantics and precise syntax for an exchange of
security data between several participants that want to establish encrypted trust relationships. It was
released in 2005 by the OASIS consortium.
The SAML standard defines the two roles that can be assumed by these participants and the messages
they are likely to transmit and receive: the service provider (SP) and the identity provider (IdP), as mentioned
above.
When an entity tries to access a protected resource provided by a SP, the latter intercepts the request and
transmits an authentication request for this entity to an IdP with which it has established a trust relationship,
which then sends back an assertion about the entity containing information such as “John Smith was
authenticated at 11:09 with his fingerprint.” It has the following list of attributes. “Assertions based on which
the SP will decide whether or not to grant access to the resource requested by the entity.
The SAML assertions are based on the SOAP, XML Encryption and XML Signature layers.
 SOAP is the standard encapsulation protocol for XML messages, mainly used by web
services.
 XML encryption is the standard encryption protocol for XML messages. Specifically, it has
the ability to encrypt the entirety of the message or just a precise subset. This makes it
possible to have a clear XML document with encrypted attribute values, for example.
 XML Signature is the standard signature protocol for XML messages. Like XML Encryption,
allows targeting of the item to be signed. This makes it possible for several participants to
each sign a different part of the XML document.
The SP and the IdP are two entities that know about each other in terms of identifier and certificate. XML
messages that pass through the network are therefore encrypted by the public key of the recipient, who is
the only one capable of decrypting the message with his/her private key. The issuer signs his/her assertions
with his/her private key, allowing the recipient to verify its origin.
Page 52/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
5.1.3 Using SAML with Kelio
SAML = protocol allowing identification between three parties: the SP (Service Provider), the navigator
(here, User Agent) and the IdP (Identity Provider).
The SP in this case is Kelio and the IdP can be G Suite, Azure, AD FS (or any IdP-compatible SAML
v2). The user connects to Kelio (1). The SP redirects the user to the IdP’s identification page (2-3). The
IdP then requests the user to identify himself/herself if he/she has not already done so and sends back
a SAML assertion to the SP in XHTML format containing the user’s identity and the validity of his/her
authentication (4-5). The SP then authorises the user to connect to Kelio (6-7-8). The exchanges take
place through secure HTTPS tunnels between the SP and the navigator and between the navigator and
the IdP. The assertions are signed or even encrypted to secure the exchanges.
Retrieval of the Metadata from the IdP

Depending on the IdPs, one or more items of information can be requested in order to generate the
Metadata of the IdP, for example the saml.entityId, the saml.entityBaseURL.
The client must provide us with the Metadata file of its IdP.
The file is to be placed in a directory which is not overwritten on updating (open\conf for example).
Page 53/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Setup in Kelio
Configure the SAML authentication section in the Supervision module > conf.properties.
An AUTO_SAML_JKS script can be used to generate any necessary encryption material and a setup help file to fill in this part.
For the script path and access to the Keepass systems and networks, please contact the scripting specialist of the S&R team
Fields Standard value Description

to enable the Saml, possibility of bypassing using the address
true
saml.enableAuthentication http://kelio/open/login
EntityId, before Kelio was used, but the saml.entityBaseURL (MOD-
https://kelio.client.fr/open/saml/metadata
saml.entityId 018957) must be entered
saml.entityBaseURL https://kelio.client.fr/open Address used to access Kelio
If, in the same way as KOD installations, Kelio is behind a reverse
false
saml.behindLbOrRp proxy or load balancer, it will be necessary to enable it
Uniquement si saml.behindLbOrRp à true
saml.frontEnd.scheme http ou https depending on the proxy / load balancer
saml.frontEnd.serverName proxy.client.fr name of the proxy / load balancer
saml.frontEnd.serverPort 443 - 8080 port of the proxy / load balancer
If set to true, the serverPort will be used to construct the requestURL
false
saml.frontEnd.includeServerPortInRequestURL of the proxy server
saml.frontEnd.contextPath /open The path of the proxy context must begin with a /
The IdP’s Metadata path; can be loaded directly from the supervision
...\Open\conf\metadata.xml
saml.idpMetadataFile when the Kelio version allows it
saml.usernameAttribute To be changed if different to NameID, example, SamAccountName
saml.signSentAuthNRequests true
Page 54/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Fields Standard value Description

saml.wantAssertionSigned true
saml.signMetadata true
saml.signingAlgorithm SHA256
saml.requireArtifactResolveSigned true
saml.requireLogoutRequestSigned true
saml.requireLogoutResponseSigned true
Key which will be used to sign and check the signature of the Kelio SP
kelio.client.fr
saml.signingKey messages. This key will be included in the Kelio metadata
Pair of keys which will be used to encrypt / decrypt the Kelio SP
kelio.client.fr
saml.encryptionKey messages, the public key will be included in the Kelio metadata
Jks used for signatures and encryption; can be loaded directly from
...\Open\conf\saml.jks
saml.keystoreFile the supervision when the Kelio version allows it
saml.keystorePassword ********** password of the jks
saml.keyAlias kelio.client.fr Alias containing the private key
saml.keyPassword ********** Password for the private key
saml.defaultKey kelio.client.fr Default name of the key used to sign the messages
Authentication age in seconds
To be increased to 157680000 for Google and Azure because the
157680000
authentication time sent by the SAML is the real time; for an
saml.maxAuthenticationAge Android telephone, it can be several years old
If the client sends an email address in usernameAttribute and the Kelio users are also entered with the @, it is important to set the
kerberos.stripDomain parameter to false
Page 55/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Retrieval of the SP metadata (Kelio)

Restart Tomcat and consult the Open.log file, find the log entry showing the URL used to download the
XML file containing the SP(Kelio) Metadata.
Generated metadata for service provider "<entityId>" at https://<entityBaseURL>/open/saml/metadata
This file is to be integrated into the IdP by the client.
Note:
If any setup errors are detected at start-up, it is likely that the SAML configuration has been disabled. It will
be necessary to correct and then reset the saml.enableAuthentication setup to true (for example, an
incorrect path meaning the SAML keystore cannot be located). It is important to read the start-up logs:
[localhost-startStop-1] 2017-02-21 09:53:16,432 ERROR saml.SamlKeyManagerFactory.Unable to load

JKS keystore from [C:\Users\Administrateur.BODET-SOFTWARE\Desktop\test\ssl\KeyStore.jks]. SAML
AUTHENTICATION AS BEEN DISABLED. Check store location and password before re-enable SAML
authentication
Client workstation setup
For IE and Chrome: Add the URL of the IdP in the “Local Intranet” zone (the short name is sufficient)
For Firefox: Add the URL of the IdP in the parameter network.negotiate-auth.trusted-uris (accessible via
about:config)
Connection test
As with the other authentication methods, the Kelio user identifier must be identical to the identifier sent by
the IdP (case-sensitive!).
After enabling the SAML to access Kelio, a URL corresponding to the one entered in the
saml.entityBaseURL parameter must be used. To bypass the SAML, use the URL
http://kelio.client.fr:8089/open/login .
A connection to the URL saml.entityBaseURL should redirect to the SAML authentication portal if the user
is not already authenticated (the token remains in the browser, it is therefore lost if the browser is closed).
If the token has already been generated, redirection towards the choice of modules is automatic.
In the event of a failure, it is possible to add logs in DEBUG mode to help to identify the cause:
org.springframework.security.saml
org.opensaml
PROTOCOL_MESSAGE
This log will need to be decrypted using the private key of the JKS and this site:
https://www.samltool.com/decrypt.php
Page 56/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Some setup examples

5.7.1 IdP Jumpcloud
Keys Values
saml.enableAuthentication true
saml.entityId https://-----.bodet-software.com/open/saml/metadata
saml.entityBaseURL https://-----.bodet-software.com/open
saml.behindLbOrRp true
saml.frontEnd.scheme https
saml.frontEnd.serverName -----.bodet-software.com
saml.frontEnd.serverPort 443
saml.frontEnd.includeServerPortInRequestURL false
saml.frontEnd.contextPath /open
saml.idpMetadataFile D:\KOD\KODXXX\Open\conf\JumpCloud-saml2-metadata.xml
saml.usernameAttribute
saml.signingKey -----.bodet-software.com
saml.encryptionKey -----.bodet-software.com
saml.keystoreFile D:\KOD\KODXXX\Open\conf\saml.jks
saml.keystorePassword **********
saml.keyAlias -----.bodet-software.com
saml.keyPassword **********
saml.defaultKey -----.bodet-software.com
Page 57/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
5.7.2 IdP Sign-and-Go
Keys Values
saml.idpMetadataFile D:\KOD\KODXXX\Open\conf\metadata_Kelio.xml
Page 58/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
5.7.3 IdP ADFS
Keys Values
saml.idpMetadataFile D:\KOD\KODXXX\Open\conf\federationmetadata.xml
saml.maxAuthenticationAge 157680000
Page 59/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
5.7.4 G Suite (Google)
Keys Values
kerberos.stripDomain false
Page 60/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
5.7.5 Azure
Keys Values
Page 61/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Examples of IdP configuration
It is up to the client to manage their IdP, but here are some setup examples based on the IdPs. This section
is to be completed as and when opportunities arise…
5.8.1 ADFS
ADFS installation on the client domain.
Follow the installation and configuration steps as documented by Microsoft:

https://msdn.microsoft.com/fr-fr/library/azure/dn528856.aspx :
- https://msdn.microsoft.com/fr-fr/library/azure/dn528857.aspx
- https://msdn.microsoft.com/fr-fr/library/azure/dn528860.aspx
- https://technet.microsoft.com/library/c66c7f4b-6b8f-4e44-8331-63fa85f858c2
Configure Kelio
Install a version that includes SAML authentication.
Récupérer les Metadata de l’IDP : https://ADFS/FederationMetadata/2007-06/FederationMetadata.xml
Remove the metadata and configure Kelio
Configure the trust relationship in the ADFS
Retrieve the Metadata from the SP (see Kelio installation)

Run the "Manage AD FS" tool in the server manager
In Trust relationships > Relying party trusts > Add a relying party trust:
Page 62/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Page 63/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Add an issuance transform rule:
By default, the NameID is used to retrieve the user id on the IdP side; this behaviour can be changed by
specifying the name of an attribute to be used in Kelio instead of the NameID (e.g. SamAccountName).
Page 64/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
If Kelio is set up with an SHA1 signature algorithm rather than SHA256, then it is necessary to modify the
properties ("Advanced" tab) of the trust party by replacing SHA-256 with SHA-1:
Caution, if the Kelio uses a self-signed certificate, it may not be trusted by the ADFS:
Events of this type in the ADFS event log:
An error occurred when attempting to create the certificate chain for the certificate
'https://7155b.trem.bod/open/saml/metadata' for the approval of the trust party identified by the digital
fingerprint 'D27A9D6F4B2D8D36FAE6CF116F485C5CB2961838'. The possible causes are the revocation
of the certificate, the impossibility of checking the certificate chain as indicated by the trust party approval
signature certificate revocation parameters, or the failure to respect the valid period of the certificate.
Log in kelio (in debug mode)

[http-nio-443-exec-5] 2018-01-26 16:18:33,727 DEBUG saml.SAMLAuthenticationProvider.Error
validating SAML message
org.opensaml.common.SAMLException: Response has invalid status code
urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
The verification must then be disabled:
Check the status in powershell:
Get-AdfsRelyingPartyTrust | Select-Object Identifier, SigningCertificateRevocationCheck,

EncryptionCertificateRevocationCheck
Disabling of the revocation verification:
Get-AdfsRelyingPartyTrust -Identifier "https://kelio.entreprise.org/open/saml/metadata" | Set-

AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck
None
Page 65/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
It is possible to achieve behaviour identical to Kerberos using an ADFS.
Here are some comments made by customers:
- You need to put the ADFS in the local intranet and check that it is authenticated for GSM clocking terminals
- The name of the federation service must be saved in the DNS as an A-entry (host-to-IP).
- You need to make sure that all of the types of browser are in WIASupportedUseragents; in PowerShell,
on the ADFS:
# Check the list of agents:

Get-AdfsProperties > Select -ExpandProperty WIASupportedUseragents
# Add as many agents as possible:

Set-AdfsProperties -WIASupportedUserAgents @(‘MSAuthHost/1.0/In-Domain’, ‘MSIE 6.0’, ‘MSIE 7.0’,
‘MSIE 8.0’, ‘MSIE 9.0’, ‘MSIE 10.0’, ‘Trident/7.0’, ‘MSIPC’, ‘Windows Rights Management Client’,
‘Mozilla/5.0’, ‘Edge/12’, ‘Edge’, ‘Chrome’, ‘Firefox’)
# Re-check the list of agents:

Get-AdfsProperties > Select -ExpandProperty WIASupportedUseragents
# Restart the ADFS service:

Restart-Service adfssrv
- For a Firefox browser, you sometimes have to add the FQDN name of the ADFS in about:config, to the
following parameters:
network.negotiate-auth.delegation-uris
network.automatic-ntlm-auth.trusted-uris
You must also set the following parameters to ‘True’:

network.automatic-ntlm-auth.allow-proxies
network.negotiate-auth.allow-proxies
Depending on the ADFS/browser versions, it may not be necessary to do all of these steps.
Page 66/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
5.8.2 OKTA
Page 67/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
5.8.3 Azure
See document: Configuring SAML V2 with Azure for Kelio
5.8.4 G Suite (Google)

Follow the Google tutorial: https://support.google.com/a/answer/6087519?hl=en. Here are some screenshots from
https://admin.google.com/AdminHome?fral=1#AppsList:serviceType=SAML_APPS:
Userprincipalname for use of e-mail

SamAccountName for the Windows login
Allows all users to use the SAML, otherwise

permissions
This document is the exclusive property of Bodet Software. All communication, reproduction and use is prohibited without prior written authorisation must
granted to specific
from Bodet be
Software.
Page 68/73 groups using the ‘Utilisateurs et groupes’
(Users and groups) menu
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Provide Bodet Software with the xml file
Page 69/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
ACS URL ACS: https://monentreprise.bodet-software.com/open/saml/SSO

Entity ID: https://monentreprise.bodet-software.com/open/saml/metadata
Page 70/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Page 71/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Page 72/73
TIME & ATTENDANCE
MANAGEMENT
BODET Software
SUPPORT CONSULTANT
Systems & Networks
Errors encountered
5.9.1 Entered attribute not present in the assertion
[http-nio-443-exec-7] 2017-11-22 15:05:06,082 DEBUG websso.WebSSOProfileConsumerImpl.Including

attribute lastname from assertion _aadc13c759bf6bac71cabb9304c8556f7c87
attribute firstname from assertion _aadc13c759bf6bac71cabb9304c8556f7c87
attribute email from assertion _aadc13c759bf6bac71cabb9304c8556f7c87
[http-nio-443-exec-3] 2017-11-22 14:14:26,483 DEBUG saml.SAMLProcessingFilter.Authentication
request failed: org.springframework.security.core.userdetails.UsernameNotFoundException: User with
name null not found
The attribute configured in saml.usernameAttribute must be sent by the IdP, in this log example, the IdP
sends lastname, firstname and email, but the saml.usernameAttribute is NameID.
Conf example on an IdP which would have the attribute “email”:
<ns2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<ns2:AttributeValue>someone.someone@corporate.com</ns2:AttributeValue>
</ns2:Attribute>
5.9.2 OneTimeUse
The framework spring used is not OneTimeUse compatible (this option avoids the need to use a token in
the future but may cause problems in the event of a time difference between the station and the Kelio):
org.opensaml.common.SAMLException: System cannot honor OneTimeUse condition of the SAML

Assertion for WebSSO
The IdP administrator must be asked to disable OneTimeUse.

5.9.3 Authentication pop-up on Java modules
If, despite normal operation in http, the launch of the Java modules asks you for authentication again, and
the client is using an @ in their login (normally due to using the email address), check whether the
kerberos.stripDomain is indeed set to false.
5.9.4 Response issue time is either too old

Certain IdPs, such as Google, send an authentication date equal to the true authentication date. For
example, if a user logged in at 7 am and runs Kelio at 10 am, the token is too old:
[http-nio-8100-exec-1] 2018-01-29 13:09:01,335 DEBUG saml.SAMLAuthenticationProvider.Error

validating SAML message
org.opensaml.common.SAMLException: Response issue time is either too old or with date in the future,
skew 60, time 2018-01-29T12:06:42.899Z
ADD-021658 [SAML] Addition of parameter maxAuthenticationAge in conf.properties

Either a patch is required, or the maxAuthenticationAge parameter can be changed in conf.properties (if
sheet AJO-022158 is taken into account).
Page 73/73

EN - CSSR016 AC - LDAP Kerberos CAS SAML Authentification

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EN - CSSR016 AC - LDAP Kerberos CAS SAML Authentification

Uploaded by

Copyright:

Available Formats

CSSR016_AC_EN_Authentifi

Index Date Comments Author

Currently (October 2017), there are four authentication modes available

csvde -f adusers.csv -r objectcategory=person -l "givenName,sn,sAMAccountName"

2 USING THE LDAP PROTOCOL

The syntax of a URL is: ldap[s]://<hostname>:<port>/<base_dn> :

Different LDAP directories cannot be accessed.

Tomcat must be re-booted to take this setting into account.

2.3.1 Importing the certificate in the JRE server

1 – File > Open Keystore File 2 – Select the cacerts file in

3 – Saisir le mot de passe : changeit 4 – Tools => Import Trusted Certificate

5 – Validate the message 6 – View the contents of the certificate

7 – Accept the certificate 8 – Validate the alias name

9 – Save the changes

Specific case: directory partitioning

Partitioning consists of breaking up the directory data over several servers.

In this case, a user x will not necessarily be known on all servers.

Example of a possible setup: ldap://172.16.20.18:3268/dc=BOD

Example: the directory contains the following groups:

We may then determine that:

Example, the directory contains the following group:

1. Download the Bodet tech tools at https://release.bodet-software.com/open/Release/Tools/

Setup with an Active Directory:

Multiple URLs with identical

The search pattern is empty so an

Setup with an AD LDS

Use of attributes specific to an AD

Setup with a Mac OS directory service

Use of specific Mac OS attributes for

Role search enabled

Parameters linked to role: see 2.5

2.6.3 Directory explorers

The installation is not detailed as everything is by default.

1 – ‘File’ > ‘Log in’ 2 – Set up the connection

LDAP address and

Base_dn from which

Anonymous connections are

The connection must be

You will note that the

2.7.1 Correct Setting

2.7.2 The DN entered in the configuration is wrong (error code 49).

This is the most frequent setup error!

2.7.3 User not found

This error may have two different causes:

The LDAP server is not configured to accept LDAPS requests.

2.7.7 The LDAP server is taking too long to respond

Caused by: org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - No Such Object];

2.7.8 Mandatory LDAPS encryption

If you receive this error:

DN of the user with the

List of user roles found:

2.8.2 Case 2: User roles not found

This error may have two different causes:

2.8.3 Error: PartialResultException (unprocessed continuation reference)

3 – Set a password 4 – There is no obligation to create a mailbox

Do not set the

CREATING THE MAIN AUTHENTICATION SERVICE

3.2.1 Setup help

1. Download the Bodet tech tools at https://release.bodet-software.com/open/Release/Tools/

4. Run the Tools_Assistant_Kerberos

5. If the dedicated user is not keliohttp, enter the correct name

6. Click on Configure, and take the time to read the messages!

By default, it is preferable to leave SHA256, as RC4-HMAC-NT is disabled on recent systems and