Symantec Access Management

Hi,
I had few questions on Kerberos setup.
I tested IWA NTLM successfully. But we wanted to configure Kerberos also.
Environment details:
AD DC: Windows 2008 R2
Policy server: R12.5 on Linux 6.3
IIS web server: windows 2008 R2, IIS7.5 with r12.5 agent.
Question is:
1. Windows web server service account creation is fine. And also we are able to login with this account into DC and also into windows server which is hosting IIS.
2. Policy server service account. We can login to DC with this account. But not to policy server host.
I assume this is fine. In one of the CA document, it was mentioned that synch the password of this account with linux account used to login to PS host for install etc.
Is this required?
CA document snippet:
A. Create a user, for example, sol8psuser, with the same password used for creating a service account for the Policy Server host (sol8ps) in Active Directory.
B. Add the host to the test.com domain and login to host with user sol8psuser.

3. Also merging keytab files containing the host principal and service principal names for the Policy Server host is required if PS is in Lnux?
4. Any difference in generating keytab if policy server in windows or unix?

Thanks and Regards,

Srinivas Meganath.

Hi,

3 - This is required for Linux / Unix box. You need to identify the machine, and the service to the kerberos server in order to be able to process tickets. The kerberos will use principal names.

4 - The keytabs are generated on the AD machine, and then merged on Linux / Unix machine. On windows machine, when you register the host in the Windows domain, the OS receives already a kerberos ticket to communicate with the Kerberos server. In Linux / Unix, you have to do it manually using kinit command, and as such, you need a principal to connect the machine, and another principle to connect the services;

For item 2, I am not sure, but if you put the same user in the OS and AD, this will help debugging and make troubleshooting easier.

For item 1, use the account on the OS to register the host in the Windows Domain;

Hi Patrick,
Thanks for your valuable inputs.
For Policy server running in Linux, if i need to register Linux machine to AD DC. Do I need to create one more service account in AD DC? And then use Kinit command in Linux to generate SPN and keytab?
Do you have any example command? This would be very useful for me.
For 1 and 2 , as of now my service accounts are different.
For example PS running in Linux with OS account "X1". And I created different service account "svcsmps" in AD. But passwords are synched.
Windows IIS is running with system admin account. And I created different service account "svcsmwa" in AD.
If this won't work. I will have to try with creating service accounts same as user who is running service.

Regards,

Srinivas Meganath.

Hi Patrick,

I was able to find more explanation in web on registration of Linux hosts with KDC.

Looks like i have to generate new SPN for Host and generate keytab file for the same.

Then migrate host keytab and smps service keytab into Linux machine and merge both. I am stuck at merging step , as ktutil tool is not available in my linux host. I will do further troubleshooting form here.

Regards,

Srinivas.

for the Linux Policy Server, you need an account with principal for the machine and another one for the service.

Assuming I have 2 keytabs for the Linux Policy Server :

duspa01-u116706.keytab

duspa01-u116706ps.keytab

Here is a sample how to merge them on Linux :

   On the Policy Server

   # cp /root/download/policyserver/duspa01-U116706*.keytab /etc

   # cd /etc

   # ktutil

   ktutil: rkt duspa01-U116706.keytab

   ktutil: wkt /etc/krb5.keytab

   ktutil: quit

   # ktutil

   ktutil: rkt duspa01-U116706PS.keytab

   ktutil: wkt /etc/krb5.keytab

   ktutil: quit

   Check that the keytab is correctly configured and both keytabs have   

   been merged :

   # klist -k /etc/krb5.keytab

   3 host/duspa01-U116706.training.com@TRAINING.COM

   3 smps/duspa01-U116706.training.com@TRAINING.COM

I think the ktutil tool can be found installing a package called : krb5-workstation or something similar.

Thanks Patrick for the inputs.

Yes i am wokring on setting by reuqired kerberos packages in Linux.. I will keep you updated with results, once all configurations are completed..

Thanks for your help.

Hi Patrick,
Any idea on setting of service account is Trusted for Delegation.
One of the CA documentation mentioned as below. Which is covering only web server service account.
What about smps policy server service accounts?
I did some more research on this and it was mentioend both the service accounts. I am going ahead with setting up delegation for both the service accounts.
But one implementation had given instructions for both the machines also.
Machine which is hosting IIS (windows 2003) and Windows 2003 server hosting policy server. They had setup delegation for machines also in AD.
In my case IIS is on windows 2008 R2 and PS is in RHEL . Both machines are in DC. But i have not setup delegation. Is this fine? Or we need to do for machines also?

To set delegation :

- Mark the users for delegation

    Click Start / Administrative Tools / Active Directory Users and Computers

    Expand training.com;

    Click on "Users";

    On the right pane, right click on yourdomain.com and select "Properties";

    Click on "Delegation" tab;

    Select "Trust this user for delegation to any service (Kerberos only);

    Click "OK";

    Redo this procedure for all account.

Note that you will see the delegation pane only if you have set a principal name to the account.

Once again, if the service runs on Windows, the Policy Server needs a name for the service as for example :

smps-mymachine

with a principal attached to this account.

I hope this helps you

Hi Patrick,

I was able to use ktutil to merge keytab files for Linux Policy servers.

But while creating siteminder Kerberos authentication scheme with R12.5 , we have to use custom template with below URL.

http://IISFQDN/siteminderagent/Kerberos/creds.kcc;smps/SPN;(&(objectclass=user)(samaccountname=%{UID}))

But i don't see Kerberos virtual directory as part of siteminderagent virtual directory in IIS server.

This file and directory is not required?

For NTLM , after installing agent, we get "NTLM" virtual directory.

Am I missing something here?

If no Kerberos directory, then do we need ot enable windows authentication at "siteminderagent" level and add "negotiate" provider here?

Please help us here.

Regards,

Srinivas.

HI,

There is no Kerberos virtual directory, and you do not have to create one. You do not have to enable Windows Authentication neither, and we do not recommend you to do so because you might face IIS cache issues too.

Patrick

Hi Patrick,

Thanks for your response.

Even for NTLM authentication with siteminder? we don't have to setup windows
authentication to the NTLM virtual directory (siteminderagent)?

I had setup this authentication for Windows 2008 IIS 7.5 and Siteminder NTLM
was working fine.

I am doing now new NTLM and Kerberos testing in Windows 2012 with IIS 8. Let
me not enable windows authentication on NTLM virtual directory and try..

Regards,

Srinivas..

Avoid mixing NTML and Kerberos. Both are different. If you want to use Kerberos authentication by SiteMinder, then disable Windows Authentication.

We have setup Kerberos as below. During testing, we get below error in Web agent trace logs.
[/kerberos][][Failed to validate remote GSSAPI token: Unknown code 0]
Web server: Windows 2008 R2, IIS 7.5, Agent : R12.5
No messages in Policy server trace log file for this flow. Not sure if i have to enable something in profiler.
I have below questions with respect to my setup:
1. Policy server R12.5 CR04 is running in RHEL 6.4.
So i had created one service account for policy server in AD DC. But not able to use this id to login to this Linux HOST.
Linux host is in AD DC.
2. I had generated 3 SPN's.
One SPN for web agent running on windows 2008 R2 using single service account "srvcsmwa"
Two SPN’s for Linux machine .First SPN for policy server service and second SPN for  Linux Host. But for both SPN’s, I used single service account...
Service account: srvcsmps
SPN’s:
Policy server SPN: smps/HostFQDN@I.***.COM
Linux Host SPN: host/hostFQDN@I.***.COM
Is this problem?
Do we need separate service account for Linux host and map that to host SPN?
Then merge both keytabs in Linux OS?
What I observed is "klist" works for both these keytabs in Linux.
But Kinit command works only for 2nd SPN, as this was latest SPN created in AD DC.
kinit -k -t srvcsmps.keytab host/hostfqdn@I.***.COM
Kinit does not work for first SPN.
kinit -k -t srvcsmps.keytab smps/hostfqdn@I.***.COM

3. So with above settings what should be ACO parameter (SmpsServicePrincipa) ? And what should we use in Authentication scheme?
Any idea to capture policy server trace logs for Kerberos authentication/custom authentication?

Thanks, Srinivas.

Hi,

You will be able to debug the kerberos transaction

only with network traces.

For Policy Server on Linux, you do need 1 account for

the host, and 1 account for the service.

Then you do need to merge both keytab on the Linux

box to be referenced in the krb5.conf.

Be sure that only 1 principal is bound to the account

you configured on the AD.

Best Regards,

Patrick

Hi Patrick,

i had setup to service accounts in AD DC. One for smps service in Liunx and one for Linux host.

Then generated 2 SPN's and 2 keytabs.

Validations in Linux server:

1. was able to login to linux server using both the service accounts.

2.klist -spn command for both SPN's work in Linux host.

3.But kinit command works for first smps keytab only and not for linux host keytab.

We were able to validate
first keytab and SPN (svckrbsmps.keytab) successfully from Linux server.

  kinit -V -k -t svckrbsmps.keytab smps/FQDN@***.COM

   Result: NO Error and taking password and connecting.

  Second keytab failing. We get below error.

kinit -V -k -t svckrbhost.keytab host/FQDN@***.COM

  kinit: Client not found in Kerberos database while getting initial credentials .

Is this expected for host keytab file? Any thoughts?

Results are same even for merged keytab file.

Thanks,

Srinivas.

Hi Patrick,

I was able to fix this issue forlinux HOST class SPN.

It was due to same SPN set for 2 service accounts. I deleted unused service account and Host class SPN started working.

So to conclude i hae setup 3 service accounts and valdiate 3 SPN's and keytab files using kinit and klist commands.

I have to now mostly figure out siteminder specific errors.

Thanks, Srinivas.

Hi,

You need to use the host keys to register the host only. As such, you do need only to run the kinit command in command line is to register the host. Once it is registered (similar as "joining the Windows Domain" when you register a Windows machine), there is a cache file created. You do not have to register the Host twice with different accounts, as you have seen , this next "register" will not work. Be sure to run the first with the Principal named "host". Then, once the Web Agent or Policy Server using its principal smps or HTTP will be able to connect to the Kerberos server, because the machine is already "connected or registered" to that service with the host principal. So said, if you run a machine for the Web Agent, and a machine for the Policy Server, both on Linux, you do need 4 principals : WebAgent : host and HTTP; Policy Server : host and smps. Be sure to always respect the UPPER and LOWER case for the characters.

I hope that helps to understand.

Best Regards,

Patrick

Hi Patrick,
I had enabled network trace between browser to IIS server and IIS server to AD KDC.

I could see below 2 errors :
KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
I ignored first error.

and KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG

For this error we tried to enforce in IIS server to use TCP always by modifying registry key:
MaxPacketSize
Still same issue exists.

I am following CA support on this issue now. As i was able to validate keytab files successfully to KDC authentication.
Only flow failing with siteminder with agent 500 error.

Also IIS to AD first calls were TCP only and i was able to see successful AS_RSP call with TGT and AS.
Then 44443 calls to PS from IIS.
After that redirection to ktc.kcc file from PS.
Again IIS web server making UDP as-REQ calls.
This is when it is failing!

After this failure, IIS makes TCP calls back to KDC and gets success reponse.

Somehow siteminder agent fails with 500 error. why this error at end?

Thanks,
Srinivas.

Hi,

If you have faced a 500 error, this mean that the Web Agent

and / or Web Server was not able to process the request.

Some details to check :

- Did you configure on the Windows Side the

  Windows authentication for the Web Site you

  are protecting ? If such, disable it.

- What says the network traces :

  Again IIS web server making UDP as-REQ calls.

  This is when it is failing!

  and what is the corresponding Web Agent

  log line ?

- Under which user runs the application pool and

  the Web Agent ? Is that the user you use to

  register the machine in the Windows domain ?

Best Regards,

Patrick

Hi Patrick,

Windows authenitcation disabled at all levels. Anonymous is enabled.

application pool is defaultapppool configured with service account which is registered with SPN.

Even web agent running with same service account.

NO error in sitmeinder policy server trace logs.

But web agent trace logs error is:

[09/16/2014][16:29:51][16:29:51.284][4360][5896][000000000000000000000000ae06ca0a-1108-5418657f-1708-00f972ae][SmKcc::getCredentials][Kerberos Credential Cache login failed with service principal HTTP/xwv.i.***.com@I.***.COM: Internal credentials cache error][SmKCC.cpp:99][][][IIS IWA Kerberos POC Realm][iis_iwa_poc_webagent][03-000f143b-c7ac-140d-a17b-06150aca909c][*10.145.74.217][][][][][/kerberos/][GET]

[09/16/2014][16:29:51][16:29:51.284][4360][5896][000000000000000000000000ae06ca0a-1108-5418657f-1708-00f972ae][ProcessAdvancedAuthCredentials][Plugin interface returned SmFailure.][CSmCredentialManager.cpp:237][][][IIS IWA Kerberos POC Realm][iis_iwa_poc_webagent][03-000f143b-c7ac-140d-a17b-06150aca909c][*10.145.74.217][][][][][/kerberos/][GET]

[09/16/2014][16:29:51][16:29:51.284][4360][5896][000000000000000000000000ae06ca0a-1108-5418657f-1708-00f972ae][ProcessAdvancedAuthentication][CredentialManager returned SmFailure, end new request.][CSmHighLevelAgent.cpp:1111][][][IIS IWA Kerberos POC Realm][iis_iwa_poc_webagent][03-000f143b-c7ac-140d-a17b-06150aca909c][*10.145.74.217][][][][][/kerberos/][GET]

CA support engineer is doing reserach if we are hititng known CA bug.

Thanks,

Srinivas.

Hi Patrick,

While troubleshooting windows IIS server using process monitor tool.

We found errors like below, C:\Windows\Temp\krb5cc access denied.

But windows service account is part of administrator group and has full control to "temp" and the file. As such with this service account we can open the file.

Any idea how to fix this issue?

Thanks,

Srinivas.

Hi,

That is why we recommend to use a unique user in the Windows domain to :

- Join the Windows host to the Windows domain;

- Install, run and configure the IIS and the application pool with that user;

- Install, run and configure the Web Agent with that user;

- Do not configure Windows authentication to the applications and only leave the anonymous one;

As possible workaround (with probably performance changes), you can locate the cache files somewhere else, or disable it :

In order to change the location of the cache file, you need to set

the environment variable at the system level as this sample :

KRB5CCNAME

c:\cache\krb5cc

To disable the Kerberos cache, you need to set the environment

variable at the system level as :

KRB5RCACHETYPE

none

Hope this helps,

Patrick

Hi ,

I was able to fix krb5cc file permission issue by simply deleting the old file which was owned by Administrator and not by IUSER.

when re tested the flow, owner is now IUSER and no such error in process monitor tool.

Even i can see negotiate kerberos token issued to browser. But agent still failing with 500 error as below.

[SmKcc::getCredentials][Failed to validate remote GSSAPI token: Unknown code 0][SmKCC.cpp:132][][][IIS IWA Kerberos POC Realm][iis_iwa_poc_webagent]

In network capture i don't see any communication from web agent to AD on kerberos!

Thanks,

Srinivas.

Hi Patrick,

We identifed from CA support that error which i was getting also due to one of bug in 12.5 base version of agents.

If user is part of huge AD groups.

Error:

SmKcc::getCredentials][Failed to validate remote GSSAPI token: Unknown code 0][SmKCC.cpp:132][][][IIS IWA Kerberos POC Realm][iis_iwa_poc_webagent]

We upgraded IIS agent to R12.5 CR04 (latest) and we could see that First request.

But second request was successful.  I could see sitmeinder smsession token and valdiated the same in IIS network capture.

Now i would have to focus more on if intermittently failing!

Thanks for all your help.

Thanks,

Srinivas.

Hi Patrick,

Under the standard use case scenario where an AD users is logged on to a domain joined machine, the solution works.  However, we are unable to provide any type of fallback authentication in the event the Kerberos negotiation fails, because the solution suffers a HTTP 500 server error in the instances.  We need these scenarios to be redirected to the SSO forms based logon page.  This way if a non-domain device access the site, they receive a forms based logon experience. Even without the forms based logon page redirect we would expect a 401 unauthorized error or something similar.  We have been unable to resolve the issue and are seeking assist.

Thanks,

Rudra

Hi,

You might check to use credential selector as authentication scheme and also to the Web Agent to handle 500 error :

https://wiki.ca.com/display/sm1252sp1/Custom+Error+Handling+For+Applications

Best Regards,

Patrick