For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Wire's avatar
Wire
Sep 03, 2013

APM - How to create a keytab file with multiple SPNs

Hi,   I have run into a problem using Kerberos Authentication when using CNAMEs in DNS.   You can search the web but basically if you use a CNAME record like "www CNAME www1" and then A records...
BIG-IP Access Policy Manager (APM)
design
kerberos
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 03, 2013

There are actually two ways (that I know of) to aggregate multiple keys into a single keytab:

  1. The first is with ktutil (you’ll need to copy the keytabs to a Linux box, merge, then copy back).

  2. The second way, which I think is much easier, uses the “-in” option of the ktpass utility. Follow this link for additional information (under the section "Appending Additional Keytabs to Create the Final Master Keytab File"

    http://fusionsecurity.blogspot.com/2013/02/part-2-how-to-configure-oam11g-wna-for.html

     ktpass -princ HTTP/oam.server.com@FOREST2.PIXIE.COM /
-mapuser oamkrb5 /
-pass Oracle123 /
-ptype KRB5_NT_PRINCIPAL /
-crypto ALL /
-in forest1.krb5.keytab /
-out forest2.krb5.keytab

** where "-in forest1.krb5.keytab" is the keytab file that contains existing keytabs

I can't speak for win2003, but this method definitely works in Win2008R2.

Now, you can add the additional SPNs on the Domain Controllers using the MS tool "setspn" with the "-A" switch no problem against the same service account.

This would probably work if you were using a domain account with IIS. If www1 and www2 are separate hosts on the same domain and you added www as an SPN to each, then you'd have a duplicate SPN in the directory. Also, if www1 and www2 are behind separate VIPs, presumably because you're doing GSLB, you could also probably just create separate keytab files.