Layer 7 Access Management

Tech Tip : CA Single Sign-On : how many SPN is required if policy server is in Linux

  • 1.  Tech Tip : CA Single Sign-On : how many SPN is required if policy server is in Linux

    Posted 05-10-2019 03:14 AM

    Question:

     

    We'd like to know how many SPN is required if the Policy Server runs
    on Linux ?

     

    As running on Linux, should be there Host keytab to register the OS
    too ?

     

    And if such, should Service keytab and Host keytab be merged ?

     

    Environment:

     

    Policy Server on 12.8SP1 on RedHat 7.1;
    CA Access Gateway (SPS) on 12.8SP1 on RedHat 7.1;
    KDC on Active Directory;

     

    Answer:

     

    At first glance, you need only one SPN for the Policy Server running
    on Linux.

     

    As per documentation, you do need host and service
    SPN for the Policy Server that you'll merge in a single .keytab file

     

    KDC Configuration on UNIX Example

     

    Create a user principal (for example, testwakrb), a host principal
    (host/win2k8sps.example.com@EXAMPLE.COM, and a service principal
    (HTTP/win2k8sps.example.com@EXAMPLE.COM) for the web server host. The
    password used for creating host account must be same as the password
    specified when using the ksetup utility on the web server host.

    Create a user principal (testpskrb), host principal
    (host/winps.example.com@EXAMPLE.COM) and service principal
    (smps/winps.example.com@EXAMPLE.COM) for the Policy Server host. The
    password used for creating host account must be same as the password
    specified when using the ksetup utility on the Policy Server host.

    ---

    Kerberos Configuration at the Policy Server on UNIX Example

    Use the ktutil utility to merge the keytab files
    (sol10ps_smps.keytab & sol10ps_host.keytab) containing the host
    principal and service principal names for the Policy Server host in
    the /etc/krb5.keytab file:

    ktutil: rkt sol10ps_host.keytab
    ktutil: wkt /etc/krb5.keytab
    ktutil: q
    ktutil: rkt sol10ps_smps.keytab
    ktutil: wkt /etc/krb5.keytab
    ktutil: q
    Verify the created krb5.keytab as follows:

    klist -k
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
    3 host/sol10ps.test.com@TEST.COM
    3 smps/sol10ps.test.com@TEST.COM

     

    https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/ca-access-gateway-configuration/configure-ca-access-gateway-to-support-integrated-windows-authentication#ConfigureCAAccessGatewaytoSupportIntegratedWindowsAuthentication-KDCConfigurationonUNIXExample


    More, for the Policy Server host and service keytab, you have to
    create a different account. Our Documentation gives steps :

     

    KDC Configuration on UNIX Example

     

    4. Create a user principal (for example, testwakrb), a host principal
    (host/win2k8sps.example.com@EXAMPLE.COM, and a service principal
    (HTTP/win2k8sps.example.com@EXAMPLE.COM) for the web server host.

    5. Create a user principal (testpskrb), host principal
    (host/winps.example.com@EXAMPLE.COM) and service principal
    (smps/winps.example.com@EXAMPLE.COM) for the Policy Server
    host. The password used for creating host account must be same as
    the password specified when using the ksetup utility on the Policy
    Server host.

    [...]

    14. Use the ktutil utility to merge the keytab files
    (sol10ps_smps.keytab & sol10ps_host.keytab) containing the host
    principal and service principal names for the Policy Server host
    in the /etc/krb5.keytab file:

    ktutil: rkt sol10ps_host.keytab
    ktutil: wkt /etc/krb5.keytab
    ktutil: q
    ktutil: rkt sol10ps_smps.keytab
    ktutil: wkt /etc/krb5.keytab
    ktutil: q

    https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/ca-access-gateway-configuration/configure-ca-access-gateway-to-support-integrated-windows-authentication

     

    The Flow of the Kerberos Authentication Scheme is described by this
    KD :

     

    The sequence of Kerberos Authentication.
    https://comm.support.ca.com/kb/the-sequence-of-kerberos-authentication/kb000014920

     

    More you may consider to apply the SP2 to your components which brings
    4 fixes about Kerberos.

     

    Defects Fixed in 12.8.02

    |        # | Fix      | Details                                              |
    |----------+----------+------------------------------------------------------|
    | 00955340 | DE345303 | Policy Server fails to close or reuse file           |
    |          |          | handles in Kerberos authentication, and it restarts. |
    | 00994201 | DE354477 | Kerberos constrained delegation fails if the         |
    |          |          | tickets of Policy Server and Agent have expired.     |
    | 01121257 | DE371188 | CA Access Gateway crashes under load when            |
    |          |          | Kerberos authentication is configured.               |
    | 00994201 | DE354477 | Kerberos constrained delegation fails if             |
    |          |          | the tickets of Policy Server and Agent have expired. |

     

    https://docops.ca.com/ca-single-sign-on/12-8/en/release-notes/service-packs/defects-fixed-in-12-8-02

     

    Finally, our Documentation provides a section to troubleshooting Kerberos issues :

    Troubleshoot Kerberos Authentication Setup

    https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication/troubleshoot-kerberos-authentication-setup

     

    KB : KB000132015