UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Vice Admiral
Vice Admiral
228 views

Kerberos authentication with multiple Primary Servers

Jump to solution

Hi,

I'm trying to configure Kerberos Authentication with ZCM 17.4.

Following the documentation, it says:

 

  • Create a new user account and set it as the Kerberos service principal account using the following command on the domain controller:

    For example, if you created a user called atsserver in your domain, you would run the following command from the command prompt

    setspn -A HOST/atsserver.myserver.com atsserver

 

I understand that "atsserver" is the ZCM Primary Server name.

What happens if we have more than one Primary Server. For instance, ZCM01 and ZCM02. Do i have to create the user in AD as "ZCM01", "ZCM02" or it doesn't matter the name as long as I import its keytab file into ZENworks Control Center?

 

Regards

Jose Luis

 

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

When testing creating KRB Files, I prefer putting the commands I use into a batch file, so I can easily see everything I have tried until I get the syntax correct.   Note: After uploading the KEYTAB file to the ZCC, I would recommend restarting all of the services on your lab server to speed the process of it fully activating.

In my Lab....

zenral.com is my AD Domain.   krbsa2 is the user I was using for the Keytab file.  I made sure to set its password to never expire. 

I recommend placing this user in the CN=USERS,DC=DOMAIN,DC=COM folder at least while testing getting the syntax correctly.  I believe I have gotten them to work in the "ServiceAccounts" folder, but I've had some issues with users in other folders.  Also remember a single letter in any of the commands that has has a "CASE" that is different than it should be will cause the Keytab to be invalid.  Microsoft's Syntax is painfully exacting and must be done exactly correct.  The Keytab creation is 100% Microsoft Process.

  • setspn -A HOST/krbsa2.zenral.com krbsa2
    • (This process ALTERS the krbsa2 accounts "user logon name" to HOST/krbsa2.zenral.com)
  • ktpass /princ HOST/krbsa2.zenral.com@ZENRAL.COM -pass MyPassWord -crypto ALL -mapuser zenral\krbsa2 -out krbsa2.keytab -mapOp set -ptype KRB5_NT_PRINCIPAL
    • (This process uses the NEW logon name of krbsa2)

The ONLY thing referenced in any of these commands is a SPECIFIC Active Directory User whose name updates between step1 and step2.  For my lab, the syntax above is correct, including seemingly doubles and if I changed the case on any of the letters, it would likely fail.

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!

View solution in original post

3 Replies
Micro Focus Expert
Micro Focus Expert

The most important thing to remember when making the KeyTab file is this 100% a Microsoft Process and the Keytab file has nothing to do with ZENworks nor is the KeyTab file even Zone Specific.  It is simply a matter Using the MS Tool to Create a KeyTab file for your AD Tree.

In fact, when setting up Kerberos I generally recommend first using a test one, perhaps just 1 Server and 1 PC with both being virtual.  Set the Test zone to be Kerberos Only.  Then test the Keytab file with your test zone.  Once it is working there, you can simply import the same KeyTab file used in the test lab as prod.

 

 

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Micro Focus Expert
Micro Focus Expert

When testing creating KRB Files, I prefer putting the commands I use into a batch file, so I can easily see everything I have tried until I get the syntax correct.   Note: After uploading the KEYTAB file to the ZCC, I would recommend restarting all of the services on your lab server to speed the process of it fully activating.

In my Lab....

zenral.com is my AD Domain.   krbsa2 is the user I was using for the Keytab file.  I made sure to set its password to never expire. 

I recommend placing this user in the CN=USERS,DC=DOMAIN,DC=COM folder at least while testing getting the syntax correctly.  I believe I have gotten them to work in the "ServiceAccounts" folder, but I've had some issues with users in other folders.  Also remember a single letter in any of the commands that has has a "CASE" that is different than it should be will cause the Keytab to be invalid.  Microsoft's Syntax is painfully exacting and must be done exactly correct.  The Keytab creation is 100% Microsoft Process.

  • setspn -A HOST/krbsa2.zenral.com krbsa2
    • (This process ALTERS the krbsa2 accounts "user logon name" to HOST/krbsa2.zenral.com)
  • ktpass /princ HOST/krbsa2.zenral.com@ZENRAL.COM -pass MyPassWord -crypto ALL -mapuser zenral\krbsa2 -out krbsa2.keytab -mapOp set -ptype KRB5_NT_PRINCIPAL
    • (This process uses the NEW logon name of krbsa2)

The ONLY thing referenced in any of these commands is a SPECIFIC Active Directory User whose name updates between step1 and step2.  For my lab, the syntax above is correct, including seemingly doubles and if I changed the case on any of the letters, it would likely fail.

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!

View solution in original post

Vice Admiral
Vice Admiral

So, from what I see, the username or the SPN does not have to have any relation to the server name

Thanks a lot!

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.