cancel
Showing results for 
Search instead for 
Did you mean: 
itagsupport
Level 9

Problem with Kerberos with IP-address in keytab file and Browser-setting

Hi,

we have a problem if we want to use IP-Address of the MWG7-Proxy in the Browser-Settings if we use kerberos authentication.

PS C:\Users\administrator.INFO-TRUST> ktpass -princ HTTP/test-gate.it.
intra@IT.INTRA -mapuser IT\mwgsevenuser -pass xxxxx -ptype K
RB5_NT_PRINCIPAL -crypto All -out mwg7.keytab
Targeting domain controller: test-DC.it.intra
Successfully mapped HTTP/test-gate.it.intra to mwgsevenuser.
Password succesfully set!
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to mwg7.keytab:
Keytab version: 0x502
keysize 77 HTTP/test-gate.it.intra@IT.INTRA ptype 1 (KRB5_NT_P
RINCIPAL) vno 5 etype 0x1 (DES-CBC-CRC) keylength 8 (0x684fcbd575b60ed0)
keysize 77 HTTP/test-gate.it.intra@IT.INTRA ptype 1 (KRB5_NT_P
RINCIPAL) vno 5 etype 0x3 (DES-CBC-MD5) keylength 8 (0x684fcbd575b60ed0)
keysize 85 HTTP/test-gate.it.intra@IT.INTRA ptype 1 (KRB5_NT_P
RINCIPAL) vno 5 etype 0x17 (RC4-HMAC) keylength 16 (0x72f6e8e9814feb49fdaa397621
9ab33b)
keysize 101 HTTP/test-gate.it.intra@IT.INTRA ptype 1 (KRB5_NT_
PRINCIPAL) vno 5 etype 0x12 (AES256-SHA1) keylength 32 (0xa397dfcd1ab1967b1c79bd
6118f929877e7e227637aa425d27acfc10dea7b54c)
keysize 85 HTTP/test-gate.it.intra@IT.INTRA ptype 1 (KRB5_NT_P
RINCIPAL) vno 5 etype 0x11 (AES128-SHA1) keylength 16 (0x59f589d3e3ba713c5fe5e4c
d3cffb131)
PS C:\Users\administrator.INFO-TRUST> setspn -a HTTP/10.0.128.228@IT.INT
RA mwgsevenuser
Registering ServicePrincipalNames for CN=MWG7 for Kerberos,CN=Users,DC=it,DC=intra
        HTTP/10.0.128.228@IT.INTRA
Updated object


[root@mwgappl sbin]# /usr/kerberos/bin/klist -k
Keytab name: FILE:/etc/krb5.mwg.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
[root@mwgappl sbin]# /usr/kerberos/sbin/ktutil
ktutil:  add_entry -key -p HTTP/10.0.128.228@IT.INTRA -k 5 -e DES-CBC-MD5
Key for HTTP/10.0.128.228@IT.INTRA (hex): 684fcbd575b60ed0
ktutil:  wkt /etc/krb5.mwg.keytab
ktutil:  q
[root@mwgappl sbin]# /usr/kerberos/bin/klist -k
Keytab name: FILE:/etc/krb5.mwg.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/10.0.128.228@IT.INTRA
  

If set the Proxy to test-gate.it.intra in the Browser-settings if IE8 and Firefox it works but if i use the IP 10.0.128.228

teh authentication doesnt work:


[2012-03-22 16:12:16.979 +01:00] [Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' 'SPNEGO' error : 'SPNEGOExtractNegotiateToken() failed'
[2012-03-22 16:12:27.506 +01:00] [Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' 'SPNEGO' error : 'SPNEGOExtractNegotiateToken() failed'
[2012-03-22 16:12:31.143 +01:00] [Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' 'SPNEGO' error : 'SPNEGOExtractNegotiateToken() failed'

we have this issue in our testlab and in two customer-systems. All use the newest MWG 7.1.6 and Windows Server 2008 Active Directory.

Whats wrong?

kind regards

Patrick

Nachricht geändert durch itagsupport on 23.03.12 11:03:22 MEZ

Nachricht geändert durch itagsupport on 23.03.12 11:04:46 MEZ
0 Kudos
10 Replies
McAfee Employee

Re: Problem with Kerberos with IP-address in keytab file and Browser-setting

Hi Patrick!

In the setspn command, the REALM (IT.INTRA) was included:

setspn -a HTTP/10.0.128.228@IT.INTRA mwgsevenuser

It should not include the REALM:

setspn -a HTTP/10.0.128.228 mwgsevenuser

See: https://community.mcafee.com/docs/DOC-2682#Commands_to_run_on_the_AD_server

Best Regards,

Jon

0 Kudos
McAfee Employee

Re: Problem with Kerberos with IP-address in keytab file and Browser-setting

My screenshot in my document is incorrect, and I will fix that when I get a chance, but the commands in text are correct.

To clarify further, you MUST include the REALM for the command run on the MWG (which you did properly):

add_entry -key -p HTTP/10.0.128.228@IT.INTRA -k 5 -e DES-CBC-MD5

Best,

Jon

Message was edited by: jscholte on 3/23/12 2:06:11 PM CDT
0 Kudos
itagsupport
Level 9

Re: Problem with Kerberos with IP-address in keytab file and Browser-setting

Hi Jon,

i have tried it again, but it didn't work.

on the Active Directory i set:

setspn -a HTTP/10.0.128.228 mwgsevenuser

Registering ServicePrincipalNames for CN=MWG7 for Kerberos,CN=Users,DC=info-trus

t,DC=intra

        HTTP/10.0.128.228

Updated object

PS C:\Users\administrator.INFO-TRUST>

on the Gateway:

Keytab name: FILE:/etc/krb5.mwg.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   6 HTTP/test-gate.it.intra@IT.INTRA
   6 HTTP/test-gate.it.intra@IT.INTRA
   6 HTTP/test-gate.it.intra@IT.INTRA
   6 HTTP/test-gate.it.intra@IT.INTRA
   6 HTTP/test-gate.it.intra@IT.INTRA
   6 HTTP/10.0.128.228@IT.INTRA
[root@test-gate06 ~]#

the kerberos authentication didn't work:

[2012-03-26 13:38:18.027 +02:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_API' error : 'Unspecified GSS failure.  Minor code may provide more information'

[2012-03-26 13:38:18.027 +02:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Key table entry not found'

[2012-03-26 13:38:37.567 +02:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_API' error : 'Unspecified GSS failure.  Minor code may provide more information'

[2012-03-26 13:38:37.568 +02:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Key table entry not found'

if i try to use: ktutil:  add_entry -key -p HTTP/10.0.129.238 -k 6 -e DES-CBC-MD5 it also didn't work.

kind regards

Patrick

0 Kudos
McAfee Employee

Re: Problem with Kerberos with IP-address in keytab file and Browser-setting

This seems fishy.

Did you modify the /etc/mwg.krb5.keytab directly? You cant modify the /etc/mwg.krb5.keytab file directly because it is in use by the MWG (which explains why the ktutil command didnt work).

The 'Key table entry not found' means that the client made a request for a service (10.0.128.223) that the Web Gateway's keytab did not know about.

~Jon

0 Kudos
itagsupport
Level 9

Re: Problem with Kerberos with IP-address in keytab file and Browser-setting

Hello,

i have tested again. it didnt work.

on the Active Directory:

PS C:\Users\administrator.INFO-TRUST> ktpass -princ HTTP/test-gate06.info-trust.

intra@INFO-TRUST.INTRA -mapuser INFO-TRUST\mwgseven -pass xxx -ptype K

RB5_NT_PRINCIPAL -crypto All -out mwg7.keytab

Targeting domain controller: test-DC01.info-trust.intra

Successfully mapped HTTP/test-gate06.info-trust.intra to mwgseven.

Password succesfully set!

Key created.

Key created.

Key created.

Key created.

Key created.

Output keytab to mwg7.keytab:

Keytab version: 0x502

keysize 77 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA ptype 1 (KRB5_NT_P

RINCIPAL) vno 7 etype 0x1 (DES-CBC-CRC) keylength 8 (0x684fcbd575b60ed0)

keysize 77 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA ptype 1 (KRB5_NT_P

RINCIPAL) vno 7 etype 0x3 (DES-CBC-MD5) keylength 8 (0x684fcbd575b60ed0)

keysize 85 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA ptype 1 (KRB5_NT_P

RINCIPAL) vno 7 etype 0x17 (RC4-HMAC) keylength 16 (0x72f6e8e9814feb49fdaa397621

9ab33b)

keysize 101 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA ptype 1 (KRB5_NT_

PRINCIPAL) vno 7 etype 0x12 (AES256-SHA1) keylength 32 (0xa397dfcd1ab1967b1c79bd

6118f929877e7e227637aa425d27acfc10dea7b54c)

keysize 85 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA ptype 1 (KRB5_NT_P

RINCIPAL) vno 7 etype 0x11 (AES128-SHA1) keylength 16 (0x59f589d3e3ba713c5fe5e4c

d3cffb131)

PS C:\Users\administrator.INFO-TRUST> setspn -a HTTP/10.0.129.238 mwgseven

Registering ServicePrincipalNames for CN=MWG7 for Kerberos,CN=Users,DC=info-trus

t,DC=intra

        HTTP/10.0.129.238

Updated object

onte MWG7:

[root@test-gate06 ~]# /usr/kerberos/sbin/ktutil /root/mwg7.keytab    

ktutil:  add_entry -key -p HTTP/10.0.129.238@INFO-TRUST.INTRA -k 7 -e DES-CBC-MD5

Key for HTTP/10.0.129.238@INFO-TRUST.INTRA (hex): 684fcbd575b60ed0

ktutil:  wkt /root/mwg7.keytab

ktutil:  q

[root@test-gate06 ~]# /usr/kerberos/bin/klist -k /root/mwg7.keytab

Keytab name: FILE:/root/mwg7.keytab

KVNO Principal

---- --------------------------------------------------------------------------

   7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

   7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

   7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

   7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

   7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

   7 HTTP/10.0.129.238@INFO-TRUST.INTRA

After that i copied the /root/mwg7.keytab to the Desktop an upload it to the MWG7 vie GUI.

After that i did a restart of the MWG7 and checked it :

  [root@test-gate06 ~]# /usr/kerberos/bin/klist -k

Keytab name: FILE:/etc/krb5.mwg.keytab

KVNO Principal

---- --------------------------------------------------------------------------

   7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

   7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

   7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

   7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

   7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

   7 HTTP/10.0.129.238@INFO-TRUST.INTRA

but if use 10.0.129.238 on the proxy-settings:

[2012-04-03 17:06:35.693 +02:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Key table entry not found'

[2012-04-03 17:07:08.196 +02:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_API' error : 'Unspecified GSS failure.  Minor code may provide more information'

[2012-04-03 17:07:08.196 +02:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Key table entry not found'

Dont care about the new Domain. its all correct. If i use test-gate06.info-trust.intra in the Browser the kerberos-Authentication works.

kind regards

Patrick

0 Kudos
McAfee Employee

Re: Problem with Kerberos with IP-address in keytab file and Browser-setting

Hi Patrick,

Open up a case, have a feedback ready, as well as the following:

1. Ldifde (run on DC):

ldifde -f c:\dump.txt -t 3268 -l dn,sAMAccountName,msds-keyversionnumber,serviceprincipalname,userprincipalname -p subtree -r "(serviceprincipalname=*10.0.129.238*)"

ldifde -f c:\dump2.txt -t 3268 -l dn,sAMAccountName,msds-keyversionnumber,serviceprincipalname,userprincipalname -p subtree -r "(serviceprincipalname=*test-gate*)"

OR

ldifde -f c:\dump.txt -l dn,sAMAccountName,msds-keyversionnumber,serviceprincipalname,userprincipalname -p subtree -r "(serviceprincipalname=*10.0.129.238*)"

ldifde -f c:\dump2.txt -l dn,sAMAccountName,msds-keyversionnumber,serviceprincipalname,userprincipalname -p subtree -r "(serviceprincipalname=*test-gate*)"

2. Run on MWG:

klist -k /etc/krb5.mwg.keytab

3. Capture run using wireshark on the client (this is used to see what ticket the client recives from the KDC).

The message "Key table entry not found" indicates the keytab does not have an entry for the ticket for which it received from the client. So something is out of sync.

~Jon

0 Kudos
poma
Level 7

Re: Problem with Kerberos with IP-address in keytab file and Browser-setting

Absolutely the same problem.

not solved.

use only FQDN and HostName as proxy settings.

May be this is a limitation of security policy of Active Diectory?

Message was edited by: poma on 12/7/12 7:01:17 AM CST
0 Kudos
McAfee Employee

Re: Problem with Kerberos with IP-address in keytab file and Browser-setting

Hi Poma,

Are you able to gather any of the troubleshooting information? Please see above commands for referenced as well as my kerberos guide (it has A LOT of debugging and explanations).

Kerberos guide:

https://community.mcafee.com/docs/DOC-2682

This should not be a limitation of active directory. I have had this working in my environment.

Traditionally though it is not generally a practice in Kerberos to use IP addresses (not that it isnt possible).

Best,

Jon

0 Kudos
acentler
Level 7

Re: Problem with Kerberos with IP-address in keytab file and Browser-setting

Any luck with the IP Address? Running into similar issues here where hostname it works like a champ but IP fails. BTW excellent guide Jon.

0 Kudos