As part of many organizations, authenticating to a Windows environment is key to providing an overall security structure for internal users. In combination with the API Gateway, CA provides the ability to not only extend the Kerberos frame work being used but allows identity and protocol mapping to a variety of other formats including SAML tokens and Client Based Authentication (SSL Certificates).
Kerberos Workflow Diagram
Configuration of the Kerberos within the CA API Gateway requires the following items:
- A standard user in the Active Directory to be used as a service user for the CA API Gateway
** Note: Ensure that the DES encryption checkbox is unchecked on the account tab of the user
- Access to the Windows ktpass command
- Administrator rights within the CA API Gateway Manager
- Usage of the following assertions in policy: “Require Windows Integrated Authentication Credentials” or “Require WS-Security Kerberos Token Profile Credentials.”
Management of the Kerberos Keytab file
Create a principal for the Windows service and then map it to the host using the ktpass command:
ktpass –princ http/@DOMAIN.COM –mapuser -pass –out kerberos.keytabFor example:
ktpass -princ http/gateway.domain.com@DOMAIN.COM -mapuser gateway -pass password -out kerberos.keytabThis produces the output file kerberos.keytab.Expanded output from running this command:
Targeting domain controller: dc1.domain.comFailed to set property "servicePrincipalName" to "gateway.domain.com" on Dn "CN=gateway,CN=Users,DC=domain,DC=com": 0x13.WARNING: pType and account type do not match. This might cause problems.Key created.Output keytab to kerberos.keytab:Keytab version: 0x502keysize 65 gateway.domain.com@DOMAIN.COM ptype 0 (KRB5_NT_UNKNOWN) vno 2 etype
Install the kerberos.keytab file using the CA API Gateway Manager
- Open the Kerberos Configuration Menu located within the Tasks Menu list
- From the Kerberos Configuration, click “Load Keytab” button and select the keytab file created for this CA API Gateway cluster.
**Note: The example included above outlines what a successfully keytab validation should output to the window. If an error was to occur the items listed in the troubleshooting section describe known configuration requirements and steps to resolve.
Configuration of Kerberos Delegation
The CA API Gateway supports Kerberos Delegation functionality to allow for credentials to be extracted from the request Kerberos token to request a service ticket for routing. The service account setup in the previous sections will need to be updated to allow for delegation. This is done by modifying the Delegation tab for the user within Active Directory and setting the radio button shown below.
In addition the “Use Windows Integrated” and “Use Delegated Credentials” radio buttons will need to be selected from within the HTTP Routing assertion -> Security Tab.
Troubleshooting
Hostname resolution – The DNS entry for the CA API Gateway cluster hostname needs to be configured for both forward and reverse DNS lookup.
Time Skew – As with all token based authentication, time representation between the various entities in the infrastructure plays an integral part in validation. Ensure that a time server is being utilized for the CA API Gateway cluster which is in-sync with the Active Directory environment.
Incorrect encryption level - Older versions of the ktpass command will not generate the keytab files with RC4-HMAC encryption instead DES-CBC-MD5 will be used. Download the latest ktpass command from Microsoft.
Hostname mismatch- Ensure that the service name generated for keytab matches the name set in the client Kerberos token.