4 Replies Latest reply on Jun 24, 2011 10:05 AM by Jon Scholten

    Syntax of Domain to Kerberos Realm Mapping

    dcaffrey

      Hi,

      I'm trying to setup Kerberos authentication with AD, i've used ktpass to create the keytab file and set the kerberos realm, but i'm unsure what to put in for the Domain to Kerberos Realm Mapping, could anyone please give an example of the syntax ?


      Thanks,

       

      Dec

        • 1. Re: Syntax of Domain to Kerberos Realm Mapping
          michael_schneider

          Hi,

           

          not sure if the atached answers your question. but contains an unofficial collection of helpful information

           

          best,

          Michael

          • 2. Re: Syntax of Domain to Kerberos Realm Mapping
            dcaffrey

            Hi Michael,

            Thanks for the document, I'll have a read to see if it has any info on my question

            Dec

            • 3. Re: Syntax of Domain to Kerberos Realm Mapping
              Troja

              Hi Michael,

              i have also Trouble with Kerberos Authentication. I tried several settings, but there is no change.

               

              1) I defined the Users as described in the PDF File, activated DES encryption, changed the password and waited for a wile. User: ww7proxy1 Domain: springfield.test

              2) Startet the ktpass Utility: ktpass -princ HTTP/ww7proxy1@SPRINGFIELD.TEST -mapuser ww7proxy1@SPRINGFIELD.TEST -pass xxxxxx -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out ww7proxy1.keytab

              I also tried:

              ktpass -princ HTTP/ww7proxy1@SPRINGFIELD.TEST -mapuser  ww7proxy1@SPRINGFIELD.TEST -pass xxxxxx -crypto DES-CBC-MD5 -out ww7proxy1.keytab

              ktpass -princ HTTP/ww7proxy1@SPRINGFIELD.TEST -mapuser  ww7proxy1 -pass xxxxxx -crypto DES-CBC-MD5 -out ww7proxy1.keytab

               

              I got the following output: (with all three command lines described above)

              ktpass -princ HTTP/ww7proxy1@SPRINGFIELD.TEST -mapuser ww7proxy1@SPRINGFIELD.TEST -pass xxxxxx -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out ww7proxy1.keytab

               

              Targeting domain controller: springfielddc.springfield.test
              Using legacy password setting method
              Successfully mapped HTTP/ww7proxy1 to ww7proxy1.
              Key created.
              Output keytab to ww7proxy1.keytab:
              Keytab version: 0x502
              keysize 58 HTTP/ww7proxy1@SPRINGFIELD.TEST ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x3 (DES-CBC-MD5)
              keylength 8 (0x0b5d515e106e80d5)

               

              3. I imported the File into WebGateway

              - Patch to keytab File

              - Kerberos Realm: SPRINGFIELD.TEST

               

              After saving settings i got no error message.

               

              klist -k shows the following output

              root@ww7proxy1 bin]# klist -k
              Keytab name: FILE:/etc/krb5.mwg.keytab
              KVNO Principal
              ---- --------------------------------------------------------------------------
                 4 HTTP/ww7proxy1@SPRINGFIELD.TEST
              [root@ww7proxy1 bin]#

               

              5. I defined an Authentication Engine for Kerberos: Policy -> Settings -> Authentication.

               

               

              I´m not able to test in the GUI if Kerberos is working. Kerberos is NOT working with my MWG7 Proxy.

               

              Any ideas??

               

              Cheers,

              Thorsten

              • 4. Re: Syntax of Domain to Kerberos Realm Mapping
                Jon Scholten

                If anyone is still looking for an answer here, I just published a new guide talking about all things Kerberos:

                https://community.mcafee.com/docs/DOC-2682

                 

                ~Jon