Forum Discussion

Wire's avatar
Wire
Sep 03, 2013

APM - How to create a keytab file with multiple SPNs

Hi,   I have run into a problem using Kerberos Authentication when using CNAMEs in DNS.   You can search the web but basically if you use a CNAME record like "www CNAME www1" and then A records...
BIG-IP Access Policy Manager (APM)
design
kerberos
security
Wire's avatar
Wire
Sep 09, 2013

Thanks Kevin for all your great pointers.

Just an update on this topic.

  1. I did use a single keytab file as I feel this is easier to administer. Also if you were to setup the APM policy to sync across the two DCs this would be a requirement.
  2. Chrome doesn't build the ticket request using the A record value but the CNAME record value so all the possible keys need to be in the keytab file. (Didn't test Firefox).
  3. Although it is possible to use "setspn" to register all the SPNs to a single AD service account this doesn't work because the APM will try to validate the ticket request by using whichever SPN it receives in the request against AD and fail when AD responds with account not found. AD looks for the SPN as the account name and not the pre-windows 2000 name (the service account name). You need to therefore create 3 distinct service accounts in AD, one for each SPN, with a unique pre-windows 2000 name and then map the correct account to the SPN while creating your keytab files with the "ktpass" tool.

Like this:

AD Accounts:

HTTP/www.domain.com, Pre-W2K_scv_acc_www, enable 256bit Kerberos Auth HTTP/www1.domain.com, Pre-W2K_scv_acc_www1, enable 256bit Kerberos Auth HTTP/www2.domain.com, Pre-W2K_scv_acc_www2, enable 256bit Kerberos Auth

ktpass usage:

ktpass -princ HTTP/www.domain.com@DOMAIN.COM -mapuser Pre-W2K_scv_acc_www -pass * -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out c:/keytab_dir/www.keytab

ktpass -princ HTTP/www1.domain.com@DOMAIN.COM -mapuser Pre-W2K_scv_acc_www1 -pass * -in c:/keytab_dir/www.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out c:/keytab_dir/www_and_www1.keytab

ktpass -princ HTTP/www2.domain.com@DOMAIN.COM -mapuser Pre-W2K_scv_acc_www2 -pass * -in c:/keytab_dir/www_and_www1.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out c:/keytab_dir/www_and_www1_and_www2.keytab

Finally, make sure that IE has "www.domain.com" defined as a "intranet site" on the security page or IE will not send your credentials in response to the 401 response from APM. (see setting up Kerberos Authentication)

I also found that it was necessary to extract the user's name from the APM "session.logon.last.username" variable as it came with a double domain name on it, I used a variable assign component to do this in my VPE:

session.logon.last.username = return [lindex [split [mcget {session.logon.last.username} "@"] 0]

Regards.

  • Vadim_Yakovlev_'s avatar
    Vadim_Yakovlev_
    Icon for Nimbostratus rankNimbostratus
    Jul 05, 2017

    Although it is possible to use "setspn" to register all the SPNs to a single AD service account this doesn't work because the APM will try to validate the ticket request by using whichever SPN it receives in the request against AD and fail when AD responds with account not found.

     

    APM acts as Kerberos-aware server, and as such it doesn't need to connect to AD to service user connection request. All it needs is a valid pair of SPN and Kerberos key in one of keytab files stored on BIG-IP box. This is a common misunderstanding regarding Kerberos. A client needs to contact a KDC (in case of AD, a domain controller) to obtain a ticket which it presents to the server, but server doesn't need to contact KDC.

     

    AD looks for the SPN as the account name and not the pre-windows 2000 name (the service account name).

     

    AD looks for SPN as SPN - that is, as "servicePrincipalName" attribute. Account name doesn't matter at all.

     

    You need to therefore create 3 distinct service accounts in AD, one for each SPN

     

    No, you don't.