Thanks Kevin for all your great pointers.
Just an update on this topic.
- I did use a single keytab file as I feel this is easier to administer. Also if you were to setup the APM policy to sync across the two DCs this would be a requirement.
- Chrome doesn't build the ticket request using the A record value but the CNAME record value so all the possible keys need to be in the keytab file. (Didn't test Firefox).
- Although it is possible to use "setspn" to register all the SPNs to a single AD service account this doesn't work because the APM will try to validate the ticket request by using whichever SPN it receives in the request against AD and fail when AD responds with account not found. AD looks for the SPN as the account name and not the pre-windows 2000 name (the service account name). You need to therefore create 3 distinct service accounts in AD, one for each SPN, with a unique pre-windows 2000 name and then map the correct account to the SPN while creating your keytab files with the "ktpass" tool.
Like this:
AD Accounts:
HTTP/www.domain.com, Pre-W2K_scv_acc_www, enable 256bit Kerberos Auth
HTTP/www1.domain.com, Pre-W2K_scv_acc_www1, enable 256bit Kerberos Auth
HTTP/www2.domain.com, Pre-W2K_scv_acc_www2, enable 256bit Kerberos Auth
ktpass usage:
ktpass -princ HTTP/www.domain.com@DOMAIN.COM -mapuser Pre-W2K_scv_acc_www -pass * -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out c:/keytab_dir/www.keytab
ktpass -princ HTTP/www1.domain.com@DOMAIN.COM -mapuser Pre-W2K_scv_acc_www1 -pass * -in c:/keytab_dir/www.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out c:/keytab_dir/www_and_www1.keytab
ktpass -princ HTTP/www2.domain.com@DOMAIN.COM -mapuser Pre-W2K_scv_acc_www2 -pass * -in c:/keytab_dir/www_and_www1.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out c:/keytab_dir/www_and_www1_and_www2.keytab
Finally, make sure that IE has "www.domain.com" defined as a "intranet site" on the security page or IE will not send your credentials in response to the 401 response from APM. (see setting up Kerberos Authentication)
I also found that it was necessary to extract the user's name from the APM "session.logon.last.username" variable as it came with a double domain name on it, I used a variable assign component to do this in my VPE:
session.logon.last.username = return [lindex [split [mcget {session.logon.last.username} "@"] 0]
Regards.