cancel
Showing results for 
Search instead for 
Did you mean: 
dcaffrey
Level 10

Syntax of Domain to Kerberos Realm Mapping

Hi,

I'm trying to setup Kerberos authentication with AD, i've used ktpass to create the keytab file and set the kerberos realm, but i'm unsure what to put in for the Domain to Kerberos Realm Mapping, could anyone please give an example of the syntax ?


Thanks,

Dec

0 Kudos
4 Replies
McAfee Employee

Re: Syntax of Domain to Kerberos Realm Mapping

Hi,

not sure if the atached answers your question. but contains an unofficial collection of helpful information

best,

Michael

0 Kudos
dcaffrey
Level 10

Re: Syntax of Domain to Kerberos Realm Mapping

Hi Michael,

Thanks for the document, I'll have a read to see if it has any info on my question

Dec

0 Kudos
Troja
Level 14

Re: Syntax of Domain to Kerberos Realm Mapping

Hi Michael,

i have also Trouble with Kerberos Authentication. I tried several settings, but there is no change.

1) I defined the Users as described in the PDF File, activated DES encryption, changed the password and waited for a wile. User: ww7proxy1 Domain: springfield.test

2) Startet the ktpass Utility: ktpass -princ HTTP/ww7proxy1@SPRINGFIELD.TEST -mapuser ww7proxy1@SPRINGFIELD.TEST -pass xxxxxx -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out ww7proxy1.keytab

I also tried:

ktpass -princ HTTP/ww7proxy1@SPRINGFIELD.TEST -mapuser  ww7proxy1@SPRINGFIELD.TEST -pass xxxxxx -crypto DES-CBC-MD5 -out ww7proxy1.keytab

ktpass -princ HTTP/ww7proxy1@SPRINGFIELD.TEST -mapuser  ww7proxy1 -pass xxxxxx -crypto DES-CBC-MD5 -out ww7proxy1.keytab

I got the following output: (with all three command lines described above)

ktpass -princ HTTP/ww7proxy1@SPRINGFIELD.TEST -mapuser ww7proxy1@SPRINGFIELD.TEST -pass xxxxxx -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out ww7proxy1.keytab

Targeting domain controller: springfielddc.springfield.test
Using legacy password setting method
Successfully mapped HTTP/ww7proxy1 to ww7proxy1.
Key created.
Output keytab to ww7proxy1.keytab:
Keytab version: 0x502
keysize 58 HTTP/ww7proxy1@SPRINGFIELD.TEST ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x3 (DES-CBC-MD5)
keylength 8 (0x0b5d515e106e80d5)

3. I imported the File into WebGateway

- Patch to keytab File

- Kerberos Realm: SPRINGFIELD.TEST

After saving settings i got no error message.

klist -k shows the following output

root@ww7proxy1 bin]# klist -k
Keytab name: FILE:/etc/krb5.mwg.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 HTTP/ww7proxy1@SPRINGFIELD.TEST
[root@ww7proxy1 bin]#

5. I defined an Authentication Engine for Kerberos: Policy -> Settings -> Authentication.

I´m not able to test in the GUI if Kerberos is working. Kerberos is NOT working with my MWG7 Proxy.

Any ideas??

Cheers,

Thorsten

0 Kudos
McAfee Employee

Re: Syntax of Domain to Kerberos Realm Mapping

If anyone is still looking for an answer here, I just published a new guide talking about all things Kerberos:

https://community.mcafee.com/docs/DOC-2682

~Jon

0 Kudos