Anonymous_User Absent Member.
Absent Member.
578 views

NAM 4 and Cross Domain Kerberos Auth


As per the title, we're having issues with getting our cross domain
Kerberos SSO configured successfully.

The target state is to have 2 organisations (Organisation A and
Organisation B from here out) using Kerberos Auth from there respective
AD environments to authenticate to NAM, NAM to then do a password fetch
and form fill the login page for our the intranets(one each)

I've been working off:
- http://tinyurl.com/kmkofdg (with the following options for both
organistations (/pass * /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL
+SetPass)and using /in OrgB.keytab /out OrgA.keytab when generating the
Keytab for NAM)
- http://tinyurl.com/nbsrsd7 (Although I'm not using either AD as a user
store)
- I've also added the JCE 7 unlimited stregth crypto
(http://tinyurl.com/cx5p7xf) to work with our AD environments
encryption.

So far I have managed to get everything working for organisation A which
is the organisation who's AD is being connected to for the Kerberos
connection, however the authentication for organisation B does not work.


Starting up the IDP we get a "Commit Succeeded" however when we attempt
to authenticate with a user from OrgB we get the following:

Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 18version: 38
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType

<amLogEntry> 2016-11-16T04:31:18Z SEVERE NIDS Application: AM#200104101:
AMDEVICEID#91423A348238438C: AMAUTHID#7179ECB61790E02CCCA7385C03670C30:
Error processing SPNEGO/Kerberos : Error processing SPNEGO/Kerberos :
Error processing SPNEGO/Kerberos : Failure unspecified at GSS-API level
(Mechanism level: Checksum failed) </amLogEntry>

Both of the accounts have domain admin, the same passwords, SPN's set
etc etc

Any suggestions on where to look next?

Thanks

Adam


--
ataylordc
------------------------------------------------------------------------
ataylordc's Profile: https://forums.netiq.com/member.php?userid=11898
View this thread: https://forums.netiq.com/showthread.php?t=56851

0 Likes
9 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: NAM 4 and Cross Domain Kerberos Auth

On 11/16/2016 4:54 PM, ataylordc wrote:
>
> As per the title, we're having issues with getting our cross domain
> Kerberos SSO configured successfully.
>
> The target state is to have 2 organisations (Organisation A and
> Organisation B from here out) using Kerberos Auth from there respective
> AD environments to authenticate to NAM, NAM to then do a password fetch
> and form fill the login page for our the intranets(one each)
>
> I've been working off:
> - http://tinyurl.com/kmkofdg (with the following options for both
> organistations (/pass * /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL
> +SetPass)and using /in OrgB.keytab /out OrgA.keytab when generating the
> Keytab for NAM)
> - http://tinyurl.com/nbsrsd7 (Although I'm not using either AD as a user
> store)
> - I've also added the JCE 7 unlimited stregth crypto
> (http://tinyurl.com/cx5p7xf) to work with our AD environments
> encryption.
>
> So far I have managed to get everything working for organisation A which
> is the organisation who's AD is being connected to for the Kerberos
> connection, however the authentication for organisation B does not work.
>
>
> Starting up the IDP we get a "Commit Succeeded" however when we attempt
> to authenticate with a user from OrgB we get the following:
>
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> Added key: 18version: 38
> Ordering keys wrt default_tkt_enctypes list
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType

> <amLogEntry> 2016-11-16T04:31:18Z SEVERE NIDS Application: AM#200104101:
> AMDEVICEID#91423A348238438C: AMAUTHID#7179ECB61790E02CCCA7385C03670C30:
> Error processing SPNEGO/Kerberos : Error processing SPNEGO/Kerberos :
> Error processing SPNEGO/Kerberos : Failure unspecified at GSS-API level
> (Mechanism level: Checksum failed) </amLogEntry>
>
> Both of the accounts have domain admin, the same passwords, SPN's set
> etc etc
>
> Any suggestions on where to look next?
>
> Thanks
>
> Adam
>
>


Is there a trust between the 2 forests?


--
Cheers,
Edward

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NAM 4 and Cross Domain Kerberos Auth


Hi Ed,

The two domains are connected via an external trust. They are not part
of a forest.

Adam


--
ataylordc
------------------------------------------------------------------------
ataylordc's Profile: https://forums.netiq.com/member.php?userid=11898
View this thread: https://forums.netiq.com/showthread.php?t=56851

0 Likes
martintduffy
New Member.

Re: NAM 4 and Cross Domain Kerberos Auth


Check to make sure that the routing between trusts is set up correctly.
If it isn't it will not work.


--
martintduffy
------------------------------------------------------------------------
martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
View this thread: https://forums.netiq.com/showthread.php?t=56851

0 Likes
martintduffy
New Member.

Re: NAM 4 and Cross Domain Kerberos Auth


that is kerberos routing.


--
martintduffy
------------------------------------------------------------------------
martintduffy's Profile: https://forums.netiq.com/member.php?userid=8729
View this thread: https://forums.netiq.com/showthread.php?t=56851

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: NAM 4 and Cross Domain Kerberos Auth

On 11/18/2016 9:44 AM, martintduffy wrote:
>
> that is kerberos routing.
>
>


Kerberos routing doesn't work across external trust. You can only obtain
a ticket for a resource in another forest if there's a forest trust.

--
Cheers,
Edward

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: NAM 4 and Cross Domain Kerberos Auth

On 11/16/2016 4:54 PM, ataylordc wrote:
>
> As per the title, we're having issues with getting our cross domain
> Kerberos SSO configured successfully.
>
> The target state is to have 2 organisations (Organisation A and
> Organisation B from here out) using Kerberos Auth from there respective
> AD environments to authenticate to NAM, NAM to then do a password fetch
> and form fill the login page for our the intranets(one each)
>
> I've been working off:
> - http://tinyurl.com/kmkofdg (with the following options for both
> organistations (/pass * /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL
> +SetPass)and using /in OrgB.keytab /out OrgA.keytab when generating the
> Keytab for NAM)
> - http://tinyurl.com/nbsrsd7 (Although I'm not using either AD as a user
> store)
> - I've also added the JCE 7 unlimited stregth crypto
> (http://tinyurl.com/cx5p7xf) to work with our AD environments
> encryption.
>
> So far I have managed to get everything working for organisation A which
> is the organisation who's AD is being connected to for the Kerberos
> connection, however the authentication for organisation B does not work.
>
>
> Starting up the IDP we get a "Commit Succeeded" however when we attempt
> to authenticate with a user from OrgB we get the following:
>
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> Added key: 18version: 38
> Ordering keys wrt default_tkt_enctypes list
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType

> <amLogEntry> 2016-11-16T04:31:18Z SEVERE NIDS Application: AM#200104101:
> AMDEVICEID#91423A348238438C: AMAUTHID#7179ECB61790E02CCCA7385C03670C30:
> Error processing SPNEGO/Kerberos : Error processing SPNEGO/Kerberos :
> Error processing SPNEGO/Kerberos : Failure unspecified at GSS-API level
> (Mechanism level: Checksum failed) </amLogEntry>
>
> Both of the accounts have domain admin, the same passwords, SPN's set
> etc etc
>
> Any suggestions on where to look next?


Setup 2 service accounts, one in each of the domains. Set the same
password on both of those accounts and the same SPN. Generate a keytab
with one of those service account and configure NAM as per doco.




--
Cheers,
Edward

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NAM 4 and Cross Domain Kerberos Auth


edmaa;272614 Wrote:
>
>
> Setup 2 service accounts, one in each of the domains. Set the same
> password on both of those accounts and the same SPN. Generate a keytab
> with one of those service account and configure NAM as per doco.
>
> --
> Cheers,
> Edward
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus


I've:
- Added the SPN for OrgA to the bind account in OrgB.
- Added a new class for OrgB that points at it's DC's and has its domain
as the Kerberos Realm
- Modified the OrgB method to use the new class.

catalina log shows that the IDP is still going to OrgA's DC's for all
its Kerberos traffic, no contacting the OrgB DC's at all.

Thanks again


--
ataylordc
------------------------------------------------------------------------
ataylordc's Profile: https://forums.netiq.com/member.php?userid=11898
View this thread: https://forums.netiq.com/showthread.php?t=56851

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: NAM 4 and Cross Domain Kerberos Auth

On 11/21/2016 11:54 AM, ataylordc wrote:
>
> edmaa;272614 Wrote:
>>
>>
>> Setup 2 service accounts, one in each of the domains. Set the same
>> password on both of those accounts and the same SPN. Generate a keytab
>> with one of those service account and configure NAM as per doco.
>>
>> --
>> Cheers,
>> Edward
>>
>> ---
>> This email has been checked for viruses by Avast antivirus software.
>> https://www.avast.com/antivirus

>
> I've:
> - Added the SPN for OrgA to the bind account in OrgB.
> - Added a new class for OrgB that points at it's DC's and has its domain
> as the Kerberos Realm
> - Modified the OrgB method to use the new class.
>
> catalina log shows that the IDP is still going to OrgA's DC's for all
> its Kerberos traffic, no contacting the OrgB DC's at all.
>
> Thanks again
>
>


NAM only supports one domain.

Setup the same SPN on a service account in OrgB as you did in OrgA. Just
make sure that both service accounts in each domain have the exact same
password and it'll work.

Then try to authenticate from a workstation that is part of OrgB.

--
Cheers,
Edward

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NAM 4 and Cross Domain Kerberos Auth


edmaa;272709 Wrote:
>
> NAM only supports one domain.
>
> Setup the same SPN on a service account in OrgB as you did in OrgA.
> Just
> make sure that both service accounts in each domain have the exact same
> password and it'll work.
>
> Then try to authenticate from a workstation that is part of OrgB.
>
> --
> Cheers,
> Edward
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus


Due to this and some other projects going on, we're upgrading the domain
trusts to Forest type.

Thanks again Ed and Martin for your assistance.

Adam


--
ataylordc
------------------------------------------------------------------------
ataylordc's Profile: https://forums.netiq.com/member.php?userid=11898
View this thread: https://forums.netiq.com/showthread.php?t=56851

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.