Patrick-Dussault
Hi Patrick,
I am configuring Kerberos and hitting road blocks one after the other.
Below is the environment:
Policy server CA SSO 12.8 sp1 - RHEL 7.1 - (in the domain xyz.no)
CA Access Gateway - RHEL 7.1 - (in the domain xyz.no)
KDC= AD - (in the domain****.****)
two SPN created with HTTP/FQHN@****.**** and smps/FQHN.xyz.no@****.****
and have two keytabs.
Environment is set to KRB5_CONFIG
krb5.conf is as follows
[logging]
default = FILE:/opt/smuser/log/krb5libs.log
kdc = FILE:/opt/smuser/log/krb5kdc.log
admin_server = FILE:/opt/smuser/log/kadmind.log
[libdefaults]
default_realm = CORP.NO
default_ccache_name = KEYRING:persistent:%{uid}
default_keytab_name = /opt/smuser/smpskrb0212.keytab
default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96
default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96
permitted_enctypes = AES256-CTS-HMAC-SHA1-96
[realms]
CORP.NO = {
; DCs specified here will be always tried by Kerberos first and at least
; one of them must be functional. The list can be pruned if desired.
kdc = OSL-DC.****.****
kdc = OSL-DC.****.****
default_domain = ****.****
}
[domain_realm]
.corp.no = CORP.no
corp.no = CORP.no
****************************************************************
[logging]
default = FILE:/opt/smuser/log/krb5libs.log
kdc = FILE:/opt/smuser/log/krb5kdc.log
admin_server = FILE:/opt/smuser/log/kadmind.log
[libdefaults]
default_realm = CORP.NO
default_ccache_name = KEYRING:persistent:%{uid}
default_keytab_name = /opt/smuser/wakrb0212.keytab
default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96
default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96
permitted_enctypes = AES256-CTS-HMAC-SHA1-96
[realms]
CORP.NO = {
; DCs specified here will be always tried by Kerberos first and at least
; one of them must be functional. The list can be pruned if desired.
kdc = OSL-DC.corp.no
kdc = OSL-DC.corp.no
default_domain = corp.no
}
[domain_realm]
.corp.no = CORP.no
corp.no = CORP.no
Now I dont see any errors in smps.log or smtrace in policy server.
But I get an error as below from Access Gateway.
[02/27/2019][13:40:22][55679][140348344514304][1d1ffac5-cd083a1a-958d50ce-1f937370-b09982a9-c3d][CSmCredentialManager::GatherAdvancedAuthCredentials][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.][][sts.id-test.***.***:443-vm-ppweb-10-11][Kerberos-PP-***.***-Allow GP][][GET][/krb/kerbtest.html]
[02/27/2019][13:40:22][55679][140348344514304][1d1ffac5-cd083a1a-958d50ce-1f937370-b09982a9-c3d][SmKcc::getKerberosToken][Failed to get authorization header from context][][sts.id-test.***.***:443-][Kerberos-PP-nets.eu-Allow GP][][GET][/krb/kerbtest.html]
[02/27/2019][13:40:22][55679][140348344514304][1d1ffac5-cd083a1a-958d50ce-1f937370-b09982a9-c3d][SmKcc::getCredentials][Failed to obtain kerberos token][][sts.id-test.****.***:443][Kerberos-PP-***.***-Allow GP][][GET][/krb/kerbtest.html]
my question is, since my policy server is in linux, should i create one more SPN with host? if so is it mandate to merge both the keytabs?
Please advice ASAP.
Regards,
Joseph Christie