Question:
We'd like to know how many SPN is required if the Policy Server runs
on Linux ?
As running on Linux, should be there Host keytab to register the OS
too ?
And if such, should Service keytab and Host keytab be merged ?
Environment:
Policy Server on 12.8SP1 on RedHat 7.1;
CA Access Gateway (SPS) on 12.8SP1 on RedHat 7.1;
KDC on Active Directory;
Answer:
At first glance, you need only one SPN for the Policy Server running
on Linux.
As per documentation, you do need host and service
SPN for the Policy Server that you'll merge in a single .keytab file
KDC Configuration on UNIX Example
Create a user principal (for example, testwakrb), a host principal
(host/win2k8sps.example.com@EXAMPLE.COM, and a service principal
(HTTP/win2k8sps.example.com@EXAMPLE.COM) for the web server host. The
password used for creating host account must be same as the password
specified when using the ksetup utility on the web server host.
Create a user principal (testpskrb), host principal
(host/winps.example.com@EXAMPLE.COM) and service principal
(smps/winps.example.com@EXAMPLE.COM) for the Policy Server host. The
password used for creating host account must be same as the password
specified when using the ksetup utility on the Policy Server host.
---
Kerberos Configuration at the Policy Server on UNIX Example
Use the ktutil utility to merge the keytab files
(sol10ps_smps.keytab & sol10ps_host.keytab) containing the host
principal and service principal names for the Policy Server host in
the /etc/krb5.keytab file:
ktutil: rkt sol10ps_host.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
ktutil: rkt sol10ps_smps.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
Verify the created krb5.keytab as follows:
klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/sol10ps.test.com@TEST.COM
3 smps/sol10ps.test.com@TEST.COM
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/ca-access-gateway-configuration/configure-ca-access-gateway-to-support-integrated-windows-authentication#ConfigureCAAccessGatewaytoSupportIntegratedWindowsAuthentication-KDCConfigurationonUNIXExample
More, for the Policy Server host and service keytab, you have to
create a different account. Our Documentation gives steps :
KDC Configuration on UNIX Example
4. Create a user principal (for example, testwakrb), a host principal
(host/win2k8sps.example.com@EXAMPLE.COM, and a service principal
(HTTP/win2k8sps.example.com@EXAMPLE.COM) for the web server host.
5. Create a user principal (testpskrb), host principal
(host/winps.example.com@EXAMPLE.COM) and service principal
(smps/winps.example.com@EXAMPLE.COM) for the Policy Server
host. The password used for creating host account must be same as
the password specified when using the ksetup utility on the Policy
Server host.
[...]
14. Use the ktutil utility to merge the keytab files
(sol10ps_smps.keytab & sol10ps_host.keytab) containing the host
principal and service principal names for the Policy Server host
in the /etc/krb5.keytab file:
ktutil: rkt sol10ps_host.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
ktutil: rkt sol10ps_smps.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/ca-access-gateway-configuration/configure-ca-access-gateway-to-support-integrated-windows-authentication
The Flow of the Kerberos Authentication Scheme is described by this
KD :
The sequence of Kerberos Authentication.
https://comm.support.ca.com/kb/the-sequence-of-kerberos-authentication/kb000014920
More you may consider to apply the SP2 to your components which brings
4 fixes about Kerberos.
Defects Fixed in 12.8.02
| # | Fix | Details |
|----------+----------+------------------------------------------------------|
| 00955340 | DE345303 | Policy Server fails to close or reuse file |
| | | handles in Kerberos authentication, and it restarts. |
| 00994201 | DE354477 | Kerberos constrained delegation fails if the |
| | | tickets of Policy Server and Agent have expired. |
| 01121257 | DE371188 | CA Access Gateway crashes under load when |
| | | Kerberos authentication is configured. |
| 00994201 | DE354477 | Kerberos constrained delegation fails if |
| | | the tickets of Policy Server and Agent have expired. |
https://docops.ca.com/ca-single-sign-on/12-8/en/release-notes/service-packs/defects-fixed-in-12-8-02
Finally, our Documentation provides a section to troubleshooting Kerberos issues :
Troubleshoot Kerberos Authentication Setup
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication/troubleshoot-kerberos-authentication-setup
KB : KB000132015