Symantec Access Management

Hi,

I am trying to setup kerberos authentication with siteminder . Following is my configuration detail:

Policy server version : 12.52 SP1

OS : Linux, version: 2.6.18-238.el5, x86_64

Webagent on apache: 12.50.0.732

KDC is 2012 r2 server.

I have done the configuration according to CA documentation and the issue i am seeing is in the webagent trace log:

Kerberos Credential Cache login failed with service principal HTTP/FQDN@NA.EXAMPLE.COM: Permission denied

Any idea what would be causing this error? I have checked the permissions on both the keytab files and krb conf files on both policy server and webserver and they seem fine.

Thanks

Avinash

Hi,

You might check that the Active Directory user which has the Principal HTTP/FQDN@NA.EXAMPLE.COM has only this principal. More, be sure that the KVNO for that principal is the same in AD as in the keytab.

Best Regards,

Patrick

Hello Patrick,

Thank you for the reply. I verified the kvno matches on both ends. The Active directory had 2 principal's, so deleted the additional entry that didn't have the realm name appended. Now, I am facing a different error :

Kerberos Credential Cache login failed with service principal HTTP/FQDN@NA.EXAMPLE.COM: Key table entry not found.

Thanks

Avinash

Hello Patrick- Any comments on the issue/error I am seeing?

Thanks

Avinash

Hi Avinash,

It looks like the HTTP/FQDN@NA.EXAMPLE.COM is not found in

the keytab file.

Could you paste the output of the keytab file and also the

krb5.conf file ? What is your OS version ?

Best Regards,

Patrick

Below is the krb5.ini content.

[libdefaults]

default_realm = NA.EXAMPLE.COM

default_keytab_name = /local/mnt/workspace/keytabs/wshost.keytab

default_tkt_enctypes =  des-cbc-md5 rc4-hmac

default_tgs_enctypes =  des-cbc-md5 rc4-hmac

[realms]

NA.EXAMPLE.COM = {

kdc = NADCSAN.na.example.com:88

default_domain = na.example.com

}

[domain_realm]

.na.example.com = NA.EXAMPLE.COM

na.example.com = NA.EXAMPLE.COM

The keytab file has encrypted text, which couldn't be read, except the realm name and the service principle name of the respective Ids. So, I didn't upload it.

OS version :

Webserver - Red Hat Enterprise Linux Server release 6.4

2.6.32-358.el6.x86_64

Policy server : Red Hat Enterprise Linux Server release 5.6

2.6.18-238.el5

Hi;

Run the following command and give us the output :

klist -k /local/mnt/workspace/keytabs/wshost.keytab

More, as running on Linux, usually the krb5 conf file is called krb5.conf.

What is the value of the Environment variable : KRB5_CONFIG ?

With which encryption did you specified for the key tab : des-cbc-md5 or rc4-hmac ?

Best Regards,

Patrick

Keytab name: FILE:/local/mnt/workspace/keytabs/wshost.keytab

KVNO Principal

---- --------------------------------------------------------------------------

  13 HTTP/FQDN.example.com@NA.EXAMPLE.COM

Yup , I had named the krb5.conf as krb5.ini , I can change it if required.

I had set value of the KRB5_CONFIG with export command and it is /local/mnt/kerbagent/webagent/krb5.ini.

The encryption type is rc4-hmac. I didn't use any specific type while creating the keytab on 2012 R2 KDC server.

Thanks

Avinash

Hi,

on Unix / Linux, you need a Principal for the

host and another one for the service. To illustrate :

    host/webagent1.training.com@TRAINING.COM

    HTTP/webagent1.training.com@TRAINING.COM

It looks like you have only the Service one. In AD, add an account for the host, and create a keytab for this Principal, then move the keytab to your Web Agent OS and merge your keytab with the host keytab in order to get 2 principal in your keytab : host/... and HTTP/...

Hope that helps,

Best Regards,

Patrick