Symantec Access Management

Expand all | Collapse all

Is it necessary to create spn for service and host for the policy server for kerberos

  • 1.  Is it necessary to create spn for service and host for the policy server for kerberos

    Posted 02-27-2019 08:16 AM

    Patrick-Dussault

     

    Hi Patrick,

     

    I am configuring Kerberos and hitting road blocks one after the other.

    Below is the environment:

     

    Policy server CA SSO 12.8 sp1 - RHEL 7.1 - (in the domain xyz.no)

    CA Access Gateway - RHEL 7.1 - (in the domain xyz.no)

    KDC=  AD - (in the domain****.****)

     

    two SPN created with HTTP/FQHN@****.**** and smps/FQHN.xyz.no@****.****

     

    and have two keytabs.

     

    Environment is set to KRB5_CONFIG

    krb5.conf is as follows

     

    [logging]
    default = FILE:/opt/smuser/log/krb5libs.log
    kdc = FILE:/opt/smuser/log/krb5kdc.log
    admin_server = FILE:/opt/smuser/log/kadmind.log
    [libdefaults]
    default_realm = CORP.NO
    default_ccache_name = KEYRING:persistent:%{uid}
    default_keytab_name = /opt/smuser/smpskrb0212.keytab
    default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96
    default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96
    permitted_enctypes = AES256-CTS-HMAC-SHA1-96
    [realms]
    CORP.NO = {
    ; DCs specified here will be always tried by Kerberos first and at least
    ; one of them must be functional. The list can be pruned if desired.
    kdc = OSL-DC.****.****
    kdc = OSL-DC.****.****
    default_domain = ****.****
    }
    [domain_realm]
    .corp.no = CORP.no
    corp.no = CORP.no
    ****************************************************************

    [logging]
    default = FILE:/opt/smuser/log/krb5libs.log
    kdc = FILE:/opt/smuser/log/krb5kdc.log
    admin_server = FILE:/opt/smuser/log/kadmind.log
    [libdefaults]
    default_realm = CORP.NO
    default_ccache_name = KEYRING:persistent:%{uid}
    default_keytab_name = /opt/smuser/wakrb0212.keytab
    default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96
    default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96
    permitted_enctypes = AES256-CTS-HMAC-SHA1-96
    [realms]
    CORP.NO = {
    ; DCs specified here will be always tried by Kerberos first and at least
    ; one of them must be functional. The list can be pruned if desired.
    kdc = OSL-DC.corp.no
    kdc = OSL-DC.corp.no
    default_domain = corp.no
    }
    [domain_realm]
    .corp.no = CORP.no
    corp.no = CORP.no

     

    Now I dont see any errors in smps.log or smtrace in policy server.

     

    But I get an error as below from Access Gateway.

     

    [02/27/2019][13:40:22][55679][140348344514304][1d1ffac5-cd083a1a-958d50ce-1f937370-b09982a9-c3d][CSmCredentialManager::GatherAdvancedAuthCredentials][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.][][sts.id-test.***.***:443-vm-ppweb-10-11][Kerberos-PP-***.***-Allow GP][][GET][/krb/kerbtest.html]
    [02/27/2019][13:40:22][55679][140348344514304][1d1ffac5-cd083a1a-958d50ce-1f937370-b09982a9-c3d][SmKcc::getKerberosToken][Failed to get authorization header from context][][sts.id-test.***.***:443-][Kerberos-PP-nets.eu-Allow GP][][GET][/krb/kerbtest.html]
    [02/27/2019][13:40:22][55679][140348344514304][1d1ffac5-cd083a1a-958d50ce-1f937370-b09982a9-c3d][SmKcc::getCredentials][Failed to obtain kerberos token][][sts.id-test.****.***:443][Kerberos-PP-***.***-Allow GP][][GET][/krb/kerbtest.html]

     

    my question is, since my policy server is in linux, should i create one more SPN with host? if so is it mandate to merge both the keytabs?

     

    Please advice ASAP.

     

    Regards,

    Joseph Christie



  • 2.  Re: Is it necessary to create spn for service and host for the policy server for kerberos

    Posted 02-28-2019 04:03 AM

    Chris_Hackett

     

     

    Hey Chris,

     

    Could someone please assist me with this.



  • 3.  Re: Is it necessary to create spn for service and host for the policy server for kerberos

    Broadcom Employee
    Posted 03-04-2019 02:27 AM

    Hi Joseph,

     

    "Failed to obtain kerberos token" probably means that the token from
    the browser doesn't reach the SPS Agent.

     

    According to documentation, you need to create a host and service
    entry on the Policy Server and Agent, and merge both (host and
    service) in a single keytab.

     

    Best Regards,
    Patrick



  • 4.  Re: Is it necessary to create spn for service and host for the policy server for kerberos

    Broadcom Employee
    Posted 03-13-2019 06:02 AM

    Hi Joseph,

     

    According to the Kim document

     

    https://communities.ca.com/docs/DOC-231151618?commentID=233980734#comment-233980734,

     

    you don't need a host keytab as all servers run on Windows and "All
    servers are joining the AD Domain".

     

    Or do you mean other documents ?

     

    Again, by official documentation, you need the host one on Linux :

     

    Kerberos Configuration at the Policy Server on UNIX Example

     

    Configure KDC for the Windows 2003 [sic] Kerberos realm (domain) to use
    the Windows 2003 domain controller.

     

    14. Use the ktutil utility to merge the keytab files (sol10ps_smps.keytab
    & sol10ps_host.keytab) containing the host principal and service
    principal names for the Policy Server host in the /etc/krb5.keytab

    file:

     

    The Policy Server on a UNIX host is configured for Kerberos
    authentication.

     

    https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/ca-access-gateway-configuration/configure-ca-access-gateway-to-support-integrated-windows-authentication

     

    Best Regards,
    Patrick



  • 5.  Re: Is it necessary to create spn for service and host for the policy server for kerberos

    Former Employee
    Posted 03-01-2019 12:58 PM

    Needs to be a product expert like Mark.ODonohue , Patrick-Dussault , Pete_Burant  . Anything you guys can help Joseph with? Thanks!



  • 6.  Re: Is it necessary to create spn for service and host for the policy server for kerberos

    Posted 03-13-2019 04:06 AM

    Mark.ODonohue , Patrick-Dussault , Pete_Burant

     

    But as per the document created by SungHoon_Kim doesn't state that and also i am not creating a KDC in Linux machine, our KDC is in windows. So i think SPN for host is not required here.

     

    and what are the probable for browser not reaching SPS agent. Whereas i have configured Radius and other authentication scheme, where the browser is communicating to Access Gateway agent. 

     

    Where exactly does this error trigger "Failed to get authorization header from context" and followed by "Failed to obtain kerberos token". when the initial request is happening and i get the krbtgt from the KDC which happens from browser to webagent.. I hope you get what I am pointing too.

     

    Could you please share the architectural workflow of Kerberos in CA SSO using AGW.



  • 7.  Re: Is it necessary to create spn for service and host for the policy server for kerberos

    Posted 03-13-2019 07:12 AM

    Patrick-Dussault

     

    There is another document which uses linux servers, ok yeah may be there also policy server are in windows.



  • 8.  Re: Is it necessary to create spn for service and host for the policy server for kerberos

    Posted 03-13-2019 04:08 AM

    Mark.ODonohue , Patrick-Dussault , Pete_Burant

     

    Could you guys please assist me with this issue and architectural workflow of Kerberos in CA SSO with Access Gateway