8 Replies Latest reply: Aug 22, 2014 9:50 AM by Jon Scholten RSS

    Cluster HA and Kerberos

    zlob

      Take 2 node cluster with NTLM authentication. 7.3.2 MWG

       

      Try add kerderos - don't understend "how to".

      How To: Setup Kerberos Authentication on Web Gateway 7.x - don't have all information.

      How have idea?

      1. Create keytab for node 1 with user 1 and add SPN for common name not VIP FQDN

      2. same for node 2, user 2, SPN

       

      On node 2 have error :

      [2014-08-06 15:19:22.492 +03:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_API' error : 'Unspecified GSS failure.  Minor code may provide more information'

      [2014-08-06 15:19:22.492 +03:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Request is a replay'

      [2014-08-06 15:19:22.492 +03:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_API' error : 'Unspecified GSS failure.  Minor code may provide more information'

      [2014-08-06 15:19:22.492 +03:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Request is a replay'

      [2014-08-06 15:19:24.716 +03:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_API' error : 'Unspecified GSS failure.  Minor code may provide more information'

        • 1. Re: Cluster HA and Kerberos
          Jon Scholten

          Hello!

           

          For MWG's in a HA pair, there is nothing special about the Kerberos configuration. You should only need one user account in AD, and one Keytab.

           

          It sounds like you created two users, and subsequently two keytabs. I would suggest deleting both and starting over (to eliminate any duplicates).

           

          You should create the one user, generate the single keytab, add any SPNs via the "setspn" command, and import the keytab into MWG.

           

          You should have no issues after doing this.

           

          The error you are showing "request is a replay" seems very strange... however, I would still performed what I outlined for simplicity's sake.

           

          Best,

          Jon

          • 2. Re: Cluster HA and Kerberos
            zlob

            You should create the one user, generate the single keytab, add any SPNs via the "setspn" command, and import the keytab into MWG.

            Import on both nodes?!

            • 3. Re: Cluster HA and Kerberos
              Jon Scholten

              Yes-sir-ee-zlob!

              • 4. Re: Cluster HA and Kerberos
                Jon Scholten

                Hi zlob,

                 

                Were you able to work through this? I saw that there was a support case on it.

                 

                Best,

                Jon

                • 5. Re: Cluster HA and Kerberos
                  zlob

                  Hello.

                  No answer from support case.

                  • 6. Re: Cluster HA and Kerberos
                    Jon Scholten

                    Looks like you just uploaded some data today.

                     

                    I'll be sure to look at it with my colleague.

                     

                    Best,

                    Jon

                    • 7. Re: Cluster HA and Kerberos
                      zlob

                      Yesterday find 4 accounts with SPN on 1 name )))

                      In How To: Setup Kerberos Authentication on Web Gateway 7.x  need add "How-TO" for kerberos and cluster.

                      • 8. Re: Cluster HA and Kerberos
                        Jon Scholten

                        Hi Oleg,

                         

                        I'm aware, I worked with the end-customer to find the duplicates using ldifde and correct the issue. ;-)

                         

                        I don't believe a special section is needed for cluster configuration because as I stated in the initial post there is nothing unique about it. The VIP is just an another name for the MWG, so its just a matter of adding any additional SPNs to the user account.

                         

                        I adjusted the "Conclusion" section to state the following (adding the keyword "cluster" next to "pool"):

                        By the end of this document, you should understand how to setup Kerberos on MWG. If you have MWGs in a pool/cluster, you should still only need one keytab file and one user account in AD. All the aliases for the pool/cluster or individual MWGs can be added to the AD user account, no modification needs to be done to the keytab (unless you really want to). All necessary troubleshooting steps are listed in this document. Depending on the situation, klist output, ldifde output, and a client side capture will be the most useful.


                        Best,

                        Jon