Skip to content

Instantly share code, notes, and snippets.

@vegaasen

vegaasen/kerberos-configuration.md

Last active October 29, 2018 23:47
Show Gist options
  • Save vegaasen/e0bc98dc2fd2ecf0e6d6 to your computer and use it in GitHub Desktop.
Save vegaasen/e0bc98dc2fd2ecf0e6d6 to your computer and use it in GitHub Desktop.
Download ZIP
Configuring Kerberos
Raw
kerberos-configuration.md

Configuring Kerberos

Introduction

This is a brief description on how to enable Kerberos Authentication on an existing WebLogic webserver instance. It will basically describe the following portions:

  • Configure the AD
  • Configure an existing (or new) user in AD that will be the Ticket-holder
  • Generate a keytab-file
  • Configure krb5{.conf,.ini}
  • Error-cases

Walkthrough

Pre-testing

You can use the following commands to check weather the connection is up, or closed to the required ad-domain:

ktutil 
addent -password -p username@domain.name -k 1 -e RC4-HMAC
wlk username.keyfile
q

Preparing Active Directory

In order to get the Active Directory stuff to work propertly, we need a user that will act as our "ticketmaster". Please add a new user, or use an existing one. We'll be using an existing one named "username".

# Example:
ktpass -princ HTTP/username@DOMAIN.NAME -pass 123456 +desonly -kvno 4 ptype KRB5_NT_PRINCIPAL -mapOp set -out username.keytab -crypto DES-CBC-CRC -mapuser username@domain.name
# Example:
ktpass -princ HTTP/username@DOMAIN.NAME -pass 123456 -desonly -kvno 4 -ptype KRB5_NT_PRINCIPAL -mapop add -out username.keytab -crypto All -mapuser username@domain.name

The mentioned commands will add a principle and change the password of the user. Aditionally, you will have the option to either support desOnly or not (please..don't). A file named "username.keytab" will also be generated. This file is something that will be used later when connecting to the AD domain for Kerberos connection tickets.

Configurating the Linux Client

This stuff is configured on a Linux server, but you may just as well configure a Windows server.

Naming conventions

  • Linux:
    • /etc/krb5.conf
  • Windows
    • C:\Windows\krb5.init

krb5.conf configuration

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.NAME
 allow_weak_crypto = true
 krb4_config = /etc/krb.conf
 krb4_realms = /etc/krb.realms
 ticket_lifetime = 600
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

[realms]
 DOMAIN.NAME = {
  kdc = idm-kdadc-vt01.domain.name:88
  admin_server = idm-kdadc-vt01.domain.name:88
  default_domain = DOMAIN.NAME
 }

[domain_realm]
 .domain.name = DOMAIN.NAME
 domain.name = DOMAIN.NAME

[login]
 krb4_convert = true
 krb4_get_tickets = false

[appdefaults]
 autologin = true
 forward = true
 forwardable = true
 encrypt = true

Add the above configuration to the krb5.conf-file :-)

Connecting for the first time

Use the following command to try the connection based on the configuration you've specificed in the krb5.conf-file:

kinit -V HTTP/username@DOMAIN.NAME -k -t ~/path/to/username.keytab

This should output similar to this stuff:

Using default cache: /tmp/krb5cc_500
Using principal: HTTP/username@DOMAIN.NAME
Using keytab: /home/whomever//path/to/username.keytab
Authenticated to Kerberos v5

Which, obviously, should give you an indication on how the connection was carried out.

Weblogic configuration

Troubleshooting

Error: kinit: KDC has no support for encryption type while getting initial credentials

This can be caused by numerous things. But the ones that is mostly common is as follows:

  • Domain names is not in UPPER CASE

  • User that has been defined has been set with the AD-property (remove the following, if set. it WILL cause stuff to fail)

    • Use Kerberos DES encryption types for this account

  • Verify that the level of encryption is correct. How do you check this? Run the mentioned command below

  • Reset the user password (yes, as odd it might sound like, this may actually help)

  • Still got issues? regenerate the keytab-file

      klist -ke  ~/iam1/kerberos/weblogicsrv.keytab

Error: kinit(v5): No such file or directory while getting initial credentials

The path to your keytab.service file is wrong

Error: kinit(v5): Client not found in Kerberos database.

Make sure that there is only 1 account in AD that has the SPN of your HTTP/host@REALM. If there is more than one account set to the SPN authentication will fail. You can issue these two commands to verify:

# either
setspn -Q HTTP/oamserver.corp.domain.com
 ldifde -f c:\upn_out.txt -d “DC=domain,DC=com” -l * -r “(userprincipalname=HTTP/oamserver.corp.domain.com@CORP.DOMAIN.COM)” -p subtree -s addc1.corp.domain.com
# or
kinit [username]
# or
kinit HTTP/host@REALM
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment