Forum Discussion

Stefan_Finke_83's avatar
Stefan_Finke_83
Icon for Nimbostratus rankNimbostratus
Jul 20, 2012

APM 11.2: Kerberos AAA ServiceName configuration

I'm configuring a Kerberos AAA Server for Kerberos end user login in an ActiveDirectory Domain. In the AAA Configuration page, I set up my Service Name formed as serviceName/hostname@kerberosrealm (as said in the Help page and the Configuration guide).

 

 

But the login login fails. APM Log (/var/log/apm) says:

 

 

GSS-API error gss_acquire_cred: 20000 : An invalid name was supplied

 

 

and

 

 

GSS-API error gss_acquire_cred: 96c73ad8 : Hostname cannot be canonicalized

 

 

It seems like the APM-GSS-Module does not accept the '@' in the Service Name at all. A Service Name like test@test gives the same error. Service Name formed as serviceName/hostname (without the realm) is accepted, resulting in an Key table entry not found error (as expected)

 

 

Any Hints?

 

  • In case you're still having this problem, the guidance is admittedly confusing in this respect.

     

     

    The service name in the Kerberos AAA object should simply just be 'HTTP'. The Auth Realm will be the fully qualified domain name of the Kerberos realm. To explain, APM does a little magic behind the scenes. When a client request comes in, it takes the host name, adds the service name to the front, and the auth realm to the end, to get the SPN which it then retrieves from the keytab file.

     

     

    ex. servicename/host_name@auth_realm

     

     

    So in your scenario, APM is creating the string 'servicename/hostname/hostname@auth_realm', which wouldn't exist in the keytab file.

     

  • For the virtual server. The SPN in the AAA's keytab file MUST match the host name that the client is trying to access.