Patrick-Dussault

 

Hi Patrick,

 

I am configuring Kerberos and hitting road blocks one after the other.

Below is the environment:

 

Policy server CA SSO 12.8 sp1 – RHEL 7.1 – (in the domain xyz.no)

CA Access Gateway – RHEL 7.1 – (in the domain xyz.no)

KDC=  AD – (in the domain corp.no)

 

two SPN created with HTTP/sts.id-test.abc.eu@CORP.NO and smps/no1-ppsmps-1.xyz.no@CORP.NO

 

and have two keytabs.

 

Environment is set to KRB5_CONFIG

krb5.conf is as follows

 

[logging]
default = FILE:/opt/smuser/log/krb5libs.log
kdc = FILE:/opt/smuser/log/krb5kdc.log
admin_server = FILE:/opt/smuser/log/kadmind.log
[libdefaults]
default_realm = CORP.NO
default_ccache_name = KEYRING:persistent:%{uid}
default_keytab_name = /opt/smuser/smpskrb0212.keytab
default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96
default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96
permitted_enctypes = AES256-CTS-HMAC-SHA1-96
[realms]
CORP.NO = {
; DCs specified here will be always tried by Kerberos first and at least
; one of them must be functional. The list can be pruned if desired.
kdc = OSL-DC.corp.no
kdc = OSL-DC.corp.no
default_domain = corp.no
}
[domain_realm]
.corp.no = CORP.no
corp.no = CORP.no
****************************************************************

[logging]
default = FILE:/opt/smuser/log/krb5libs.log
kdc = FILE:/opt/smuser/log/krb5kdc.log
admin_server = FILE:/opt/smuser/log/kadmind.log
[libdefaults]
default_realm = CORP.NO
default_ccache_name = KEYRING:persistent:%{uid}
default_keytab_name = /opt/smuser/wakrb0212.keytab
default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96
default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96
permitted_enctypes = AES256-CTS-HMAC-SHA1-96
[realms]
CORP.NO = {
; DCs specified here will be always tried by Kerberos first and at least
; one of them must be functional. The list can be pruned if desired.
kdc = OSL-DC.corp.no
kdc = OSL-DC.corp.no
default_domain = corp.no
}
[domain_realm]
.corp.no = CORP.no
corp.no = CORP.no

 

Now I dont see any errors in smps.log or smtrace in policy server.

 

But I get an error as below from Access Gateway.

 

[02/27/2019][13:40:22][55679][140348344514304][1d1ffac5-cd083a1a-958d50ce-1f937370-b09982a9-c3d][CSmCredentialManager::GatherAdvancedAuthCredentials][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.][][sts.id-test.***.***:443-vm-ppweb-10-11][Kerberos-PP-***.***-Allow GP][][GET][/krb/kerbtest.html]
[02/27/2019][13:40:22][55679][140348344514304][1d1ffac5-cd083a1a-958d50ce-1f937370-b09982a9-c3d][SmKcc::getKerberosToken][Failed to get authorization header from context][][sts.id-test.***.***:443-vm-ppweb-10-11][Kerberos-PP-nets.eu-Allow GP][][GET][/krb/kerbtest.html]
[02/27/2019][13:40:22][55679][140348344514304][1d1ffac5-cd083a1a-958d50ce-1f937370-b09982a9-c3d][SmKcc::getCredentials][Failed to obtain kerberos token][][sts.id-test.****.***:443-vm-ppweb-10-11][Kerberos-PP-***.***-Allow GP][][GET][/krb/kerbtest.html]

 

my question is, since my policy server is in linux, should i create one more SPN with host? if so is it mandate to merge both the keytabs?

 

Please advice ASAP.

 

Regards,

Joseph Christie


Source: New feed
{pubDate}

Leave a Reply

Your email address will not be published. Required fields are marked *