1 2 Previous Next 10 Replies Latest reply: Jan 22, 2013 9:16 AM by Jon Scholten RSS

    Problem with Kerberos with IP-address in keytab file and Browser-setting

    itagsupport

      Hi,

       

      we have a problem if we want to use IP-Address of the MWG7-Proxy in the Browser-Settings if we use kerberos authentication.

       

      PS C:\Users\administrator.INFO-TRUST> ktpass -princ HTTP/test-gate.it.
      intra@IT.INTRA -mapuser IT\mwgsevenuser -pass xxxxx -ptype K
      RB5_NT_PRINCIPAL -crypto All -out mwg7.keytab
      Targeting domain controller: test-DC.it.intra
      Successfully mapped HTTP/test-gate.it.intra to mwgsevenuser.
      Password succesfully set!
      Key created.
      Key created.
      Key created.
      Key created.
      Key created.
      Output keytab to mwg7.keytab:
      Keytab version: 0x502
      keysize 77 HTTP/test-gate.it.intra@IT.INTRA ptype 1 (KRB5_NT_P
      RINCIPAL) vno 5 etype 0x1 (DES-CBC-CRC) keylength 8 (0x684fcbd575b60ed0)
      keysize 77 HTTP/test-gate.it.intra@IT.INTRA ptype 1 (KRB5_NT_P
      RINCIPAL) vno 5 etype 0x3 (DES-CBC-MD5) keylength 8 (0x684fcbd575b60ed0)
      keysize 85 HTTP/test-gate.it.intra@IT.INTRA ptype 1 (KRB5_NT_P
      RINCIPAL) vno 5 etype 0x17 (RC4-HMAC) keylength 16 (0x72f6e8e9814feb49fdaa397621
      9ab33b)
      keysize 101 HTTP/test-gate.it.intra@IT.INTRA ptype 1 (KRB5_NT_
      PRINCIPAL) vno 5 etype 0x12 (AES256-SHA1) keylength 32 (0xa397dfcd1ab1967b1c79bd
      6118f929877e7e227637aa425d27acfc10dea7b54c)
      keysize 85 HTTP/test-gate.it.intra@IT.INTRA ptype 1 (KRB5_NT_P
      RINCIPAL) vno 5 etype 0x11 (AES128-SHA1) keylength 16 (0x59f589d3e3ba713c5fe5e4c
      d3cffb131)
      PS C:\Users\administrator.INFO-TRUST> setspn -a HTTP/10.0.128.228@IT.INT
      RA mwgsevenuser
      Registering ServicePrincipalNames for CN=MWG7 for Kerberos,CN=Users,DC=it,DC=intra
              HTTP/10.0.128.228@IT.INTRA
      Updated object


      [root@mwgappl sbin]# /usr/kerberos/bin/klist -k
      Keytab name: FILE:/etc/krb5.mwg.keytab
      KVNO Principal
      ---- --------------------------------------------------------------------------
         5 HTTP/test-gate.it.intra@IT.INTRA
         5 HTTP/test-gate.it.intra@IT.INTRA
         5 HTTP/test-gate.it.intra@IT.INTRA
         5 HTTP/test-gate.it.intra@IT.INTRA
         5 HTTP/test-gate.it.intra@IT.INTRA
      [root@mwgappl sbin]# /usr/kerberos/sbin/ktutil
      ktutil:  add_entry -key -p HTTP/10.0.128.228@IT.INTRA -k 5 -e DES-CBC-MD5
      Key for HTTP/10.0.128.228@IT.INTRA (hex): 684fcbd575b60ed0
      ktutil:  wkt /etc/krb5.mwg.keytab
      ktutil:  q
      [root@mwgappl sbin]# /usr/kerberos/bin/klist -k
      Keytab name: FILE:/etc/krb5.mwg.keytab
      KVNO Principal
      ---- --------------------------------------------------------------------------
         5 HTTP/test-gate.it.intra@IT.INTRA
         5 HTTP/test-gate.it.intra@IT.INTRA
         5 HTTP/test-gate.it.intra@IT.INTRA
         5 HTTP/test-gate.it.intra@IT.INTRA
         5 HTTP/test-gate.it.intra@IT.INTRA
         5 HTTP/10.0.128.228@IT.INTRA
        

       

       

      If set the Proxy to test-gate.it.intra in the Browser-settings if IE8 and Firefox it works but if i use the IP 10.0.128.228

      teh authentication doesnt work:


      [2012-03-22 16:12:16.979 +01:00] [Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' 'SPNEGO' error : 'SPNEGOExtractNegotiateToken() failed'
      [2012-03-22 16:12:27.506 +01:00] [Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' 'SPNEGO' error : 'SPNEGOExtractNegotiateToken() failed'
      [2012-03-22 16:12:31.143 +01:00] [Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' 'SPNEGO' error : 'SPNEGOExtractNegotiateToken() failed'

       

      we have this issue in our testlab and in two customer-systems. All use the newest MWG 7.1.6 and Windows Server 2008 Active Directory.

       

      Whats wrong?

       

      kind regards

      Patrick

       

      Nachricht geändert durch itagsupport on 23.03.12 11:03:22 MEZ

       

      Nachricht geändert durch itagsupport on 23.03.12 11:04:46 MEZ
        • 1. Re: Problem with Kerberos with IP-address in keytab file and Browser-setting
          Jon Scholten

          Hi Patrick!

           

          In the setspn command, the REALM (IT.INTRA) was included:

          setspn -a HTTP/10.0.128.228@IT.INTRA mwgsevenuser

           

          It should not include the REALM:

          setspn -a HTTP/10.0.128.228 mwgsevenuser

           

          See: https://community.mcafee.com/docs/DOC-2682#Commands_to_run_on_the_AD_server

           

          Best Regards,

          Jon

          • 2. Re: Problem with Kerberos with IP-address in keytab file and Browser-setting
            Jon Scholten

            My screenshot in my document is incorrect, and I will fix that when I get a chance, but the commands in text are correct.

             

            To clarify further, you MUST include the REALM for the command run on the MWG (which you did properly):

            add_entry -key -p HTTP/10.0.128.228@IT.INTRA -k 5 -e DES-CBC-MD5

             

            Best,

            Jon

             

            Message was edited by: jscholte on 3/23/12 2:06:11 PM CDT
            • 3. Re: Problem with Kerberos with IP-address in keytab file and Browser-setting
              itagsupport

              Hi Jon,

               

              i have tried it again, but it didn't work.

               

               

              on the Active Directory i set:

              setspn -a HTTP/10.0.128.228 mwgsevenuser

              Registering ServicePrincipalNames for CN=MWG7 for Kerberos,CN=Users,DC=info-trus

              t,DC=intra

                      HTTP/10.0.128.228

              Updated object

              PS C:\Users\administrator.INFO-TRUST>

               

               

               

              on the Gateway:

              Keytab name: FILE:/etc/krb5.mwg.keytab
              KVNO Principal
              ---- --------------------------------------------------------------------------
                 6 HTTP/test-gate.it.intra@IT.INTRA
                 6 HTTP/test-gate.it.intra@IT.INTRA
                 6 HTTP/test-gate.it.intra@IT.INTRA
                 6 HTTP/test-gate.it.intra@IT.INTRA
                 6 HTTP/test-gate.it.intra@IT.INTRA
                 6 HTTP/10.0.128.228@IT.INTRA
              [root@test-gate06 ~]#

               

              the kerberos authentication didn't work:

               

              [2012-03-26 13:38:18.027 +02:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_API' error : 'Unspecified GSS failure.  Minor code may provide more information'

              [2012-03-26 13:38:18.027 +02:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Key table entry not found'

              [2012-03-26 13:38:37.567 +02:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_API' error : 'Unspecified GSS failure.  Minor code may provide more information'

              [2012-03-26 13:38:37.568 +02:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Key table entry not found'

               

               

              if i try to use: ktutil:  add_entry -key -p HTTP/10.0.129.238 -k 6 -e DES-CBC-MD5 it also didn't work.

               

              kind regards

              Patrick

              • 4. Re: Problem with Kerberos with IP-address in keytab file and Browser-setting
                Jon Scholten

                This seems fishy.

                 

                Did you modify the /etc/mwg.krb5.keytab directly? You cant modify the /etc/mwg.krb5.keytab file directly because it is in use by the MWG (which explains why the ktutil command didnt work).

                 

                The 'Key table entry not found' means that the client made a request for a service (10.0.128.223) that the Web Gateway's keytab did not know about.

                 

                ~Jon

                • 5. Re: Problem with Kerberos with IP-address in keytab file and Browser-setting
                  itagsupport

                  Hello,

                   

                  i have tested again. it didnt work.

                   

                  on the Active Directory:

                   

                  PS C:\Users\administrator.INFO-TRUST> ktpass -princ HTTP/test-gate06.info-trust.

                   

                  intra@INFO-TRUST.INTRA -mapuser INFO-TRUST\mwgseven -pass xxx -ptype K

                   

                  RB5_NT_PRINCIPAL -crypto All -out mwg7.keytab

                   

                  Targeting domain controller: test-DC01.info-trust.intra

                   

                  Successfully mapped HTTP/test-gate06.info-trust.intra to mwgseven.

                   

                  Password succesfully set!

                   

                  Key created.

                   

                  Key created.

                   

                  Key created.

                   

                  Key created.

                   

                  Key created.

                   

                  Output keytab to mwg7.keytab:

                   

                  Keytab version: 0x502

                   

                  keysize 77 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA ptype 1 (KRB5_NT_P

                   

                  RINCIPAL) vno 7 etype 0x1 (DES-CBC-CRC) keylength 8 (0x684fcbd575b60ed0)

                   

                  keysize 77 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA ptype 1 (KRB5_NT_P

                   

                  RINCIPAL) vno 7 etype 0x3 (DES-CBC-MD5) keylength 8 (0x684fcbd575b60ed0)

                   

                  keysize 85 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA ptype 1 (KRB5_NT_P

                   

                  RINCIPAL) vno 7 etype 0x17 (RC4-HMAC) keylength 16 (0x72f6e8e9814feb49fdaa397621

                   

                  9ab33b)

                   

                  keysize 101 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA ptype 1 (KRB5_NT_

                   

                  PRINCIPAL) vno 7 etype 0x12 (AES256-SHA1) keylength 32 (0xa397dfcd1ab1967b1c79bd

                   

                  6118f929877e7e227637aa425d27acfc10dea7b54c)

                   

                  keysize 85 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA ptype 1 (KRB5_NT_P

                   

                  RINCIPAL) vno 7 etype 0x11 (AES128-SHA1) keylength 16 (0x59f589d3e3ba713c5fe5e4c

                   

                  d3cffb131)

                   

                  PS C:\Users\administrator.INFO-TRUST> setspn -a HTTP/10.0.129.238 mwgseven

                   

                  Registering ServicePrincipalNames for CN=MWG7 for Kerberos,CN=Users,DC=info-trus

                   

                  t,DC=intra

                   

                          HTTP/10.0.129.238

                   

                  Updated object

                   

                  onte MWG7:

                   

                  [root@test-gate06 ~]# /usr/kerberos/sbin/ktutil /root/mwg7.keytab    

                   

                  ktutil:  add_entry -key -p HTTP/10.0.129.238@INFO-TRUST.INTRA -k 7 -e DES-CBC-MD5

                   

                  Key for HTTP/10.0.129.238@INFO-TRUST.INTRA (hex): 684fcbd575b60ed0

                   

                  ktutil:  wkt /root/mwg7.keytab

                   

                  ktutil:  q

                   

                  [root@test-gate06 ~]# /usr/kerberos/bin/klist -k /root/mwg7.keytab

                   

                  Keytab name: FILE:/root/mwg7.keytab

                   

                  KVNO Principal

                   

                  ---- --------------------------------------------------------------------------

                   

                     7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

                   

                     7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

                   

                     7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

                   

                     7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

                   

                     7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

                   

                     7 HTTP/10.0.129.238@INFO-TRUST.INTRA

                   

                  After that i copied the /root/mwg7.keytab to the Desktop an upload it to the MWG7 vie GUI.

                   

                  After that i did a restart of the MWG7 and checked it :

                   

                    [root@test-gate06 ~]# /usr/kerberos/bin/klist -k

                   

                  Keytab name: FILE:/etc/krb5.mwg.keytab

                   

                  KVNO Principal

                   

                  ---- --------------------------------------------------------------------------

                   

                     7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

                   

                     7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

                   

                     7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

                   

                     7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

                   

                     7 HTTP/test-gate06.info-trust.intra@INFO-TRUST.INTRA

                   

                     7 HTTP/10.0.129.238@INFO-TRUST.INTRA

                   

                  but if use 10.0.129.238 on the proxy-settings:

                   

                  [2012-04-03 17:06:35.693 +02:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Key table entry not found'

                   

                  [2012-04-03 17:07:08.196 +02:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_API' error : 'Unspecified GSS failure.  Minor code may provide more information'

                   

                  [2012-04-03 17:07:08.196 +02:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Key table entry not found'

                   

                  Dont care about the new Domain. its all correct. If i use test-gate06.info-trust.intra in the Browser the kerberos-Authentication works.

                   

                  kind regards

                   

                  Patrick

                  • 6. Re: Problem with Kerberos with IP-address in keytab file and Browser-setting
                    Jon Scholten

                    Hi Patrick,

                     

                    Open up a case, have a feedback ready, as well as the following:

                    1. Ldifde (run on DC):

                    ldifde -f c:\dump.txt -t 3268 -l dn,sAMAccountName,msds-keyversionnumber,serviceprincipalname,userprincipalname -p subtree -r "(serviceprincipalname=*10.0.129.238*)"

                    ldifde -f c:\dump2.txt -t 3268 -l dn,sAMAccountName,msds-keyversionnumber,serviceprincipalname,userprincipalname -p subtree -r "(serviceprincipalname=*test-gate*)"

                    OR

                    ldifde -f c:\dump.txt -l dn,sAMAccountName,msds-keyversionnumber,serviceprincipalname,userprincipalname -p subtree -r "(serviceprincipalname=*10.0.129.238*)"

                    ldifde -f c:\dump2.txt -l dn,sAMAccountName,msds-keyversionnumber,serviceprincipalname,userprincipalname -p subtree -r "(serviceprincipalname=*test-gate*)"

                     

                    2. Run on MWG:

                    klist -k /etc/krb5.mwg.keytab

                     

                    3. Capture run using wireshark on the client (this is used to see what ticket the client recives from the KDC).

                     

                    The message "Key table entry not found" indicates the keytab does not have an entry for the ticket for which it received from the client. So something is out of sync.

                     

                    ~Jon

                    • 7. Re: Problem with Kerberos with IP-address in keytab file and Browser-setting
                      poma

                      Absolutely the same problem.

                      not solved.

                      use only FQDN and HostName as proxy settings.

                       

                      May be this is a limitation of security policy of Active Diectory?

                       

                      Message was edited by: poma on 12/7/12 7:01:17 AM CST
                      • 8. Re: Problem with Kerberos with IP-address in keytab file and Browser-setting
                        Jon Scholten

                        Hi Poma,

                         

                        Are you able to gather any of the troubleshooting information? Please see above commands for referenced as well as my kerberos guide (it has A LOT of debugging and explanations).

                         

                        Kerberos guide:

                        https://community.mcafee.com/docs/DOC-2682

                         

                        This should not be a limitation of active directory. I have had this working in my environment.

                         

                        Traditionally though it is not generally a practice in Kerberos to use IP addresses (not that it isnt possible).

                         

                        Best,

                        Jon

                        • 9. Re: Problem with Kerberos with IP-address in keytab file and Browser-setting
                          acentler

                          Any luck with the IP Address? Running into similar issues here where hostname it works like a champ but IP fails. BTW excellent guide Jon.

                          1 2 Previous Next