Kerberos Authentication against Multiple Domains

Kerberos Authentication against Multiple Domains

The document describes accessing resources across forests using NetIQ Access Manager – Kerberos Authentication.



Pre-requisites:




  1. Kerberos cross realm trust need to be enabled for both the domains

  2. Make sure that the Kerberos service user account you have set up does not have “Use DES encryption types for this account” selected. If it is already selected, then you must unchecked it and reset the password. It is not possible for the same SPN/service user account to support both DES and RC4-HMAC security. It must be one or the other.

  3. Make sure that the Kerberos service user account password is matching on both domains (PRIMARY.COM and OTHER.COM)



Generating keytab files:

ktpass /out PRIMARY.keytab /princ HTTP/sso.test.com@PRIMARY.COM /mapuser nm093secidp01@PRIMARY.COM /pass N0v3ll@12 /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /kvno 0

ktpass /out OTHER.keytab /princ HTTP/sso.test.com@OTHER.COM /mapuser nm093secidp01@OTHER.COM /pass N0v3ll@12 /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /kvno 0

Merging Key tab files:

If you have multiple keytab files that need to be in one place, you can merge the keys with the ktutil command.

MergingKeytabfiles

bcsLogin.conf:

Make sure configuration you do in bcsLogin.conf is required by the service to read the merged keytab information.

bcsLogin.conf

User Stores:

Add both the user stores (PRIMARY.COM and OTHER.COM) in the IDP cluster.

UserStores

UPN Suffix:

UPN presented in the ticket to search for the user, and that the UPN suffix list would configure to accept different UPN suffixes.

KerberosClass

Enter only the second domain in the UPN Suffixes, in our case it’s OTHER.com and add both the user stores in Kerberos Methods.

Note: Implementation procedures on Windows 2008 R2 are basically the same as with other Windows versions. However, since DES cipher by default is disabled in Windows 2008 R2. Enable DES cipher support on Windows 2008 R2. See the following tech note from Microsoft:

http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx
http://support.microsoft.com/kb/978055
Labels (1)
Tags (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
Hi

I try to implement multi domain authentication but I have some issue.

The keytab is generated for each domain. It works for each domain, but when I use the merge keytab, I receive the login screen in place.

I use nam 3.1.5, on which version have you tested this solution?

I have a misuderstanding with following:

Make sure that the Kerberos service user account you have set up does not have “Use DES encryption types for this account” selected. If it is already selected, then you must unchecked it and reset the password. It is not possible for the same SPN/service user account to support both DES and RC4-HMAC security. It must be one or the other.

and

Note: Implementation procedures on Windows 2008 R2 are basically the same as with other Windows versions. However, since DES cipher by default is disabled in Windows 2008 R2. Enable DES cipher support on Windows 2008 R2. See the following tech note from Microsoft:
Other question:

What about the method, I suppose we need to add primary domain and secondary domain in the stores configuration in the method.
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:05
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.