Re: AD 2003; MS's ktpass made account corrupted
- From: "Douglas E. Engert" <deengert@xxxxxxx>
- Date: Thu, 13 Dec 2007 10:42:59 -0600
Henoc wrote:
Excuse me dear Douglas , but I'm French and my english sucks a little bit .
My French is worse...
*) The machine is a windows XP Pro box.
Already belonging to a domain.
the ": (not that the computer pre-exist in"
Was a misspell of " (note that the computer pre-exist..."
*) The machine name is WWWSRVHOST which is ALSO is Host name under windows
as far as I know ? because on the Win2003 box it shows these spn : HOST/
WWWSRVHOST.... like this BEFORE any of our changes .
Kerberos principals usually have <service>/<FQDN>@<realm>
With HTTP the <service> is "HTTP" upper case.
With a host the <service> is "host" lowercase
<FQDN> should be the hosts fully qualified DNS name in lowercase.
<realm> is lowercase, and matches the AD domain name, and is usually
a FQDN.
Windows clients and AD are case insensitive, and will accept any case.
Windows host principals can be simple names.
Kerberos clients on other platforms, are case sensitive, and will
try and convert a short host name in to a FQDN, using resolve.
*)The AD Domain name on site was CCIAL.local (that is the way windows2003
spells a simple domain name.)
OK, its usually is a FQDN, and matches the DNS domain, but does not have to.
For trying to not pollute the case I tried to say it is just a FQDN (fully
qualified domain name) because if this is a trouble I will make them change
that after.
You want FQDNs. FQDNs are unique.
So excuse me for the misspelling between FQDN and FDN. Next time I will take more time to re-read my post. Specially in a foreign
language.
All this was to try not to give you too much annoying details which will
make you lose your time.
Apologizes.
*)
my app is a custom app with webserver (NO IIS) and provides some SSO
facilities via Java and SPNEGO. That's why I have to do all this stuff :
Never tried running a Java server under windows.
You may want to do a Google search for: java gss windows server
to get the keytab of the XP computer which hosts my web app.
This is needed for the SSO to work.
The web server uses some Java 6 techs including the JAAS layer for security
which is the one that allows the Kerberos token handshaking.
Java on Windows might beable to use the host's password, and if this
was the case, all that might be needed is to have the AD admin
add a SPN=HTTP/WWWSRVHOST to the existing account. But this might
only work if your server is Windows 2003. You are using XP.
The server does not have to use the same keytab as the host.
And in you case it would be better if it used its own keytab
in a file. The trick is to tell Java where the keytab is.
See:
http://forum.java.sun.com/thread.jspa?threadID=5137494&tstart=75
The Java class Krb5LoginModule says how to do this,
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
for both client and server. The single-signon example
defines a gss.conf for jgss.accept
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/single-signon.html
gss.conf:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true
keyTab="krb5.keytab" doNotPrompt=true useKeyTab=true
principal="xmpp/slushpupie.com at SLUSHPUPIE.COM" debug=true;
};
*)
I talked about cygwin just because it seems mskutil works only under unix.
They don't have a "real" DNS as they are a simple organization ; just
windows boxes. So DNS setting is not a real problem here.
( * ) ( * ) ( * )
I hope I'm little bit more clear now ?!
( * ) ( * ) ( * )
My job is to give this infamous keytab for the app.
And for this to work in sun tutorials they ask for the keytab of the
computer hosting the webserver.
Now I must confess I'm lost :
It seems you are telling me I should make another spn's keytab but not the
machine's one ? I don't know how all this will work then as Sun was asking
for the machine's keytab.
Yes, and also have a separate account created in AD for this service. Then
if the password is changed on oneaccount it will not affect the other.
The ktpass /mapuser lists the AD account it use.
I'm not at the office to try all these Will be there only tomorrow afternoon or Monday.
Thank you for your time and your help.
Sincerly
-----Message d'origine-----
De : Douglas E. Engert [mailto:deengert@xxxxxxx] Envoyé : jeudi 13 décembre 2007 16:15
À : Henoc
Cc : kerberos@xxxxxxx
Objet : Re: AD 2003; MS's ktpass made account corrupted
Henoc wrote:Thanks Douglas for your help.
Just one thing to make clear for me (I'm not a Kerberos specialist so I
would like to be sure ) :
So I got my computer WWWSRVHOST joined to my domain It has most of the time these spn already made by AD :
HOST/WWWSRVHOST@xxxxxxxx
(Some of you examples use FQDN, some FDN. You refer to the machine
as WWWSRVHOST but it also has a DNS hostname. You attempts
at obfuscating the information in the e-mail is making
it hard to understand your situation.
First of all, is the computer WWWSRVHOST a Windows machine?
Is WWWSRVHOST the name?
What is its DNS name?
Is it joined to the domain?
What is the AD domain name?
And you want to run a web server on it?
If this is all Microsoft servers and web servers, you should not
have to create any keytabs. It should be done for you.
Are trying to run some web server under cygwin?
If so use two seperate windows accounts, one for the host service
handled by windows join, and one for the HTTP service,
and use ktpass. (This keeps them seperate, and avoids the common
passwrod issue.)
The account name does not have to be the spn.
My goal is :
- (1) - to add a HTTP/WWWSRVHOST@xxxxxxx SPN to my computer's entry
- (2) - then to produce the corresponding Keytab file
So to reach this :
a)- under a unix box or via cygwin on the same windows I have to install
mskutil (didn't succeed finding a windows version )
No there is no. You should not need this with windows.
b)- emit these kind of command line : (not that the computer pre-exist in
the domain;
You said the computer was joined. Now you say it is no.
in most of my client environment it is a windows box on which Ihave to install my stuff)
msktutil -b <base> -k <file> s <HTTP/WWWSRVHOST@xxxxxxx >
Did you actually get it to run?
Is that all so simple ?? I can't believe I have been turning around for
decades for something so easy. Should post this on different forums to avoid this for other people.
I can test before Friday or Monday
If I made some huge mistake in my understanding, please let me know
Thanks again for your help, which was very useful
Sincerely
--
Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
.
- Prev by Date: RE: AD 2003; MS's ktpass made account corrupted
- Next by Date: Re: Kerberos and NAT issue
- Previous by thread: RE: AD 2003; MS's ktpass made account corrupted
- Next by thread: RE: DST Time change
- Index(es):
Relevant Pages
|
