Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2775 Views 10 Replies Latest reply: Jan 22, 2013 9:16 AM by Jon Scholten RSS 1 2 Previous Next
itagsupport Apprentice 77 posts since
Aug 27, 2010
Currently Being Moderated

Mar 23, 2012 5:04 AM

Problem with Kerberos with IP-address in keytab file and Browser-setting

Hi,

 

we have a problem if we want to use IP-Address of the MWG7-Proxy in the Browser-Settings if we use kerberos authentication.

 

PS C:\Users\administrator.INFO-TRUST> ktpass -princ HTTP/test-gate.it.
intra@IT.INTRA -mapuser IT\mwgsevenuser -pass xxxxx -ptype K
RB5_NT_PRINCIPAL -crypto All -out mwg7.keytab
Targeting domain controller: test-DC.it.intra
Successfully mapped HTTP/test-gate.it.intra to mwgsevenuser.
Password succesfully set!
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to mwg7.keytab:
Keytab version: 0x502
keysize 77 HTTP/test-gate.it.intra@IT.INTRA ptype 1 (KRB5_NT_P
RINCIPAL) vno 5 etype 0x1 (DES-CBC-CRC) keylength 8 (0x684fcbd575b60ed0)
keysize 77 HTTP/test-gate.it.intra@IT.INTRA ptype 1 (KRB5_NT_P
RINCIPAL) vno 5 etype 0x3 (DES-CBC-MD5) keylength 8 (0x684fcbd575b60ed0)
keysize 85 HTTP/test-gate.it.intra@IT.INTRA ptype 1 (KRB5_NT_P
RINCIPAL) vno 5 etype 0x17 (RC4-HMAC) keylength 16 (0x72f6e8e9814feb49fdaa397621
9ab33b)
keysize 101 HTTP/test-gate.it.intra@IT.INTRA ptype 1 (KRB5_NT_
PRINCIPAL) vno 5 etype 0x12 (AES256-SHA1) keylength 32 (0xa397dfcd1ab1967b1c79bd
6118f929877e7e227637aa425d27acfc10dea7b54c)
keysize 85 HTTP/test-gate.it.intra@IT.INTRA ptype 1 (KRB5_NT_P
RINCIPAL) vno 5 etype 0x11 (AES128-SHA1) keylength 16 (0x59f589d3e3ba713c5fe5e4c
d3cffb131)
PS C:\Users\administrator.INFO-TRUST> setspn -a HTTP/10.0.128.228@IT.INT
RA mwgsevenuser
Registering ServicePrincipalNames for CN=MWG7 for Kerberos,CN=Users,DC=it,DC=intra
        HTTP/10.0.128.228@IT.INTRA
Updated object


[root@mwgappl sbin]# /usr/kerberos/bin/klist -k
Keytab name: FILE:/etc/krb5.mwg.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
[root@mwgappl sbin]# /usr/kerberos/sbin/ktutil
ktutil:  add_entry -key -p HTTP/10.0.128.228@IT.INTRA -k 5 -e DES-CBC-MD5
Key for HTTP/10.0.128.228@IT.INTRA (hex): 684fcbd575b60ed0
ktutil:  wkt /etc/krb5.mwg.keytab
ktutil:  q
[root@mwgappl sbin]# /usr/kerberos/bin/klist -k
Keytab name: FILE:/etc/krb5.mwg.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/test-gate.it.intra@IT.INTRA
   5 HTTP/10.0.128.228@IT.INTRA
  

 

 

If set the Proxy to test-gate.it.intra in the Browser-settings if IE8 and Firefox it works but if i use the IP 10.0.128.228

teh authentication doesnt work:


[2012-03-22 16:12:16.979 +01:00] [Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' 'SPNEGO' error : 'SPNEGOExtractNegotiateToken() failed'
[2012-03-22 16:12:27.506 +01:00] [Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' 'SPNEGO' error : 'SPNEGOExtractNegotiateToken() failed'
[2012-03-22 16:12:31.143 +01:00] [Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' 'SPNEGO' error : 'SPNEGOExtractNegotiateToken() failed'

 

we have this issue in our testlab and in two customer-systems. All use the newest MWG 7.1.6 and Windows Server 2008 Active Directory.

 

Whats wrong?

 

kind regards

Patrick

 

Nachricht geändert durch itagsupport on 23.03.12 11:03:22 MEZ

 

Nachricht geändert durch itagsupport on 23.03.12 11:04:46 MEZ
  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009

    Hi Patrick!

     

    In the setspn command, the REALM (IT.INTRA) was included:

    setspn -a HTTP/10.0.128.228@IT.INTRA mwgsevenuser

     

    It should not include the REALM:

    setspn -a HTTP/10.0.128.228 mwgsevenuser

     

    See: https://community.mcafee.com/docs/DOC-2682#Commands_to_run_on_the_AD_server

     

    Best Regards,

    Jon

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009

    My screenshot in my document is incorrect, and I will fix that when I get a chance, but the commands in text are correct.

     

    To clarify further, you MUST include the REALM for the command run on the MWG (which you did properly):

    add_entry -key -p HTTP/10.0.128.228@IT.INTRA -k 5 -e DES-CBC-MD5

     

    Best,

    Jon

     

    Message was edited by: jscholte on 3/23/12 2:06:11 PM CDT
  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009

    This seems fishy.

     

    Did you modify the /etc/mwg.krb5.keytab directly? You cant modify the /etc/mwg.krb5.keytab file directly because it is in use by the MWG (which explains why the ktutil command didnt work).

     

    The 'Key table entry not found' means that the client made a request for a service (10.0.128.223) that the Web Gateway's keytab did not know about.

     

    ~Jon

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009

    Hi Patrick,

     

    Open up a case, have a feedback ready, as well as the following:

    1. Ldifde (run on DC):

    ldifde -f c:\dump.txt -t 3268 -l dn,sAMAccountName,msds-keyversionnumber,serviceprincipalname,userprincipalname -p subtree -r "(serviceprincipalname=*10.0.129.238*)"

    ldifde -f c:\dump2.txt -t 3268 -l dn,sAMAccountName,msds-keyversionnumber,serviceprincipalname,userprincipalname -p subtree -r "(serviceprincipalname=*test-gate*)"

    OR

    ldifde -f c:\dump.txt -l dn,sAMAccountName,msds-keyversionnumber,serviceprincipalname,userprincipalname -p subtree -r "(serviceprincipalname=*10.0.129.238*)"

    ldifde -f c:\dump2.txt -l dn,sAMAccountName,msds-keyversionnumber,serviceprincipalname,userprincipalname -p subtree -r "(serviceprincipalname=*test-gate*)"

     

    2. Run on MWG:

    klist -k /etc/krb5.mwg.keytab

     

    3. Capture run using wireshark on the client (this is used to see what ticket the client recives from the KDC).

     

    The message "Key table entry not found" indicates the keytab does not have an entry for the ticket for which it received from the client. So something is out of sync.

     

    ~Jon

  • poma Newcomer 11 posts since
    Apr 5, 2010

    Absolutely the same problem.

    not solved.

    use only FQDN and HostName as proxy settings.

     

    May be this is a limitation of security policy of Active Diectory?

     

    Message was edited by: poma on 12/7/12 7:01:17 AM CST
  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009

    Hi Poma,

     

    Are you able to gather any of the troubleshooting information? Please see above commands for referenced as well as my kerberos guide (it has A LOT of debugging and explanations).

     

    Kerberos guide:

    https://community.mcafee.com/docs/DOC-2682

     

    This should not be a limitation of active directory. I have had this working in my environment.

     

    Traditionally though it is not generally a practice in Kerberos to use IP addresses (not that it isnt possible).

     

    Best,

    Jon

  • acentler Newcomer 2 posts since
    Jan 9, 2013

    Any luck with the IP Address? Running into similar issues here where hostname it works like a champ but IP fails. BTW excellent guide Jon.

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points