Forum Discussion
APM - How to create a keytab file with multiple SPNs
Hi,
I have run into a problem using Kerberos Authentication when using CNAMEs in DNS.
You can search the web but basically if you use a CNAME record like "www CNAME www1" and then A records "www1 A 10.10.10.1" and "www2 A 10.10.20.1", when IE or .NET needs to authenticate it forms the request to "www1" (or "www2") and not "www".
Now, you can add the additional SPNs on the Domain Controllers using the MS tool "setspn" with the "-A" switch no problem against the same service account.
The instructions for creating the keytab file only cover the use of the MS tool "ktpass". This tool can only create a keytab file with a single SPN and when you use this with APM it will only work for "www" and break for anything else.
I'm unfamiliar with the Kerberos utilities on BIG-IP but I have seen that there are several (kadmin, kinit, ktutil). Can anyone give me a working example of how I can create a keytab file which will work using these tools for all 3 SPNs which will work with MS AD.
Thanks.
- Kevin_StewartEmployee
There are actually two ways (that I know of) to aggregate multiple keys into a single keytab:
-
The first is with ktutil (you’ll need to copy the keytabs to a Linux box, merge, then copy back).
-
The second way, which I think is much easier, uses the “-in” option of the ktpass utility. Follow this link for additional information (under the section "Appending Additional Keytabs to Create the Final Master Keytab File"
http://fusionsecurity.blogspot.com/2013/02/part-2-how-to-configure-oam11g-wna-for.html
ktpass -princ HTTP/oam.server.com@FOREST2.PIXIE.COM / -mapuser oamkrb5 / -pass Oracle123 / -ptype KRB5_NT_PRINCIPAL / -crypto ALL / -in forest1.krb5.keytab / -out forest2.krb5.keytab ** where "-in forest1.krb5.keytab" is the keytab file that contains existing keytabs
I can't speak for win2003, but this method definitely works in Win2008R2.
Now, you can add the additional SPNs on the Domain Controllers using the MS tool "setspn" with the "-A" switch no problem against the same service account.
This would probably work if you were using a domain account with IIS. If www1 and www2 are separate hosts on the same domain and you added www as an SPN to each, then you'd have a duplicate SPN in the directory. Also, if www1 and www2 are behind separate VIPs, presumably because you're doing GSLB, you could also probably just create separate keytab files.
-
Thanks for your answer Kevin, it has prompted me to clarify the multiple SPN issue I have.
We are using Win2008R2.
I'm using APM (11.3.0 HF6) in APM+LTM mode and only performing the Authentication on APM, not passing any credentials onto the Webservers which are not IIS.
No GSLB exists but instead a manual DR process is required where in the event of "Site A" failing which carries the VIP "10.10.10.1" (resolving to "www1") the CNAME record for "www" will be changed to point to "www2" (the "Site B" VIP "10.10.20.1").
Are you saying that I should just use one keytab file on "Site A" with SPN of "HTTP/www1" and a different keytab file on "Site B" with SPN of "HTTP/www2" and ignoring the SPN of "HTTP/www" completely?
In the meantime I'll read the article on the link above to see how to create the keytab file that contains existing keytabs which they refer to above (as this is the problem I have).
Thanks.
- Kevin_StewartEmployee
Are you saying that I should just use one keytab file on "Site A" with SPN of "HTTP/www1" and a different keytab file on "Site B" with SPN of "HTTP/www2" and ignoring the SPN of "HTTP/www" completely?
That depends if the initial problem also exists in other browsers. Does Firefox also use the A name? I don't remember if it does. If it's universal, and a browser will always use the A name, then you probably don't need to worry about a keytab for the CNAME.
The "-in" option in ktpass just allows you to add information from other keytabs. So if you have an existing keytab file (ie. for "www"), then you'd create a new keytab (ie. for "www1") and include the other keytab with the -in option to aggregate the two keys. Repeat this process for as many keytabs as you need.
Thanks Kevin for all your great pointers.
Just an update on this topic.
- I did use a single keytab file as I feel this is easier to administer. Also if you were to setup the APM policy to sync across the two DCs this would be a requirement.
- Chrome doesn't build the ticket request using the A record value but the CNAME record value so all the possible keys need to be in the keytab file. (Didn't test Firefox).
- Although it is possible to use "setspn" to register all the SPNs to a single AD service account this doesn't work because the APM will try to validate the ticket request by using whichever SPN it receives in the request against AD and fail when AD responds with account not found. AD looks for the SPN as the account name and not the pre-windows 2000 name (the service account name). You need to therefore create 3 distinct service accounts in AD, one for each SPN, with a unique pre-windows 2000 name and then map the correct account to the SPN while creating your keytab files with the "ktpass" tool.
Like this:
AD Accounts:
HTTP/www.domain.com, Pre-W2K_scv_acc_www, enable 256bit Kerberos Auth HTTP/www1.domain.com, Pre-W2K_scv_acc_www1, enable 256bit Kerberos Auth HTTP/www2.domain.com, Pre-W2K_scv_acc_www2, enable 256bit Kerberos Auth
ktpass usage:
ktpass -princ HTTP/www.domain.com@DOMAIN.COM -mapuser Pre-W2K_scv_acc_www -pass * -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out c:/keytab_dir/www.keytab
ktpass -princ HTTP/www1.domain.com@DOMAIN.COM -mapuser Pre-W2K_scv_acc_www1 -pass * -in c:/keytab_dir/www.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out c:/keytab_dir/www_and_www1.keytab
ktpass -princ HTTP/www2.domain.com@DOMAIN.COM -mapuser Pre-W2K_scv_acc_www2 -pass * -in c:/keytab_dir/www_and_www1.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out c:/keytab_dir/www_and_www1_and_www2.keytab
Finally, make sure that IE has "www.domain.com" defined as a "intranet site" on the security page or IE will not send your credentials in response to the 401 response from APM. (see setting up Kerberos Authentication)
I also found that it was necessary to extract the user's name from the APM "session.logon.last.username" variable as it came with a double domain name on it, I used a variable assign component to do this in my VPE:
session.logon.last.username = return [lindex [split [mcget {session.logon.last.username} "@"] 0]
Regards.
- Vadim_Yakovlev_Nimbostratus
Although it is possible to use "setspn" to register all the SPNs to a single AD service account this doesn't work because the APM will try to validate the ticket request by using whichever SPN it receives in the request against AD and fail when AD responds with account not found.
APM acts as Kerberos-aware server, and as such it doesn't need to connect to AD to service user connection request. All it needs is a valid pair of SPN and Kerberos key in one of keytab files stored on BIG-IP box. This is a common misunderstanding regarding Kerberos. A client needs to contact a KDC (in case of AD, a domain controller) to obtain a ticket which it presents to the server, but server doesn't need to contact KDC.
AD looks for the SPN as the account name and not the pre-windows 2000 name (the service account name).
AD looks for SPN as SPN - that is, as "servicePrincipalName" attribute. Account name doesn't matter at all.
You need to therefore create 3 distinct service accounts in AD, one for each SPN
No, you don't.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com