6 Replies Latest reply on Jun 20, 2016 5:46 PM by Jon Scholten

    Kerberos: How to authenticate several different AD domains with only one keytab?

    timode

      Hi,

       

      I have a big company-wide MWG cluster within our central computing centre. This cluster is used by our customers in order to surf the internet. We have several hundread customes. Each customer is within a separat AD domain.

       

      What I want to do is to use Kerberos for all customers to authenticate against the proxy. But I really don't want to create a keytab for every single customer / AD domain. This would result in several hundread keytabs. Also we add customers from time to time. This is not manageable.

       

      So I really like to be able to create one central keytab used to authenticate all customers within all AD domains. Any ideas how this could be done?

       

      My first Idea was:

      We have a central AD domain with bidirectonal trusts to all customer AD domains. So I tried to create a single keytab within our central AD domain. This is trusted to all customer AD domains. Unfortunatly this still does not allow to authenticate customers.

       

      Any Ideas?

       

      cheers

      Timo

        • 1. Re: Kerberos: How to authenticate several different AD domains with only one keytab?
          Jon Scholten

          Hi Timo,

           

          Perhaps we should explore why "this still does not allow to authenticate customers".

           

          Have you reviewed the troubleshooting steps in the best practices? If so, have you gathered the data mentioned in it? How To: Simplified Kerberos Setup on Web Gateway 7.x

           

          Best Regards,

          Jon

          • 2. Re: Kerberos: How to authenticate several different AD domains with only one keytab?
            timode

            Hi Jon,

             

            I tried all the steps from the guides and more. Following the troubleshooting steps. Let me known, if you need something more.

             

            I have two testdomains:

            - testumgebung.xxx.de (this represents the central domain having trusts to all customer domains)

            - testneu.xxx.de (this represents one of the customer domains)

             

            First I tested Kerberos on both domains separatly by creating a keytab for each separatly. This worked fine:

             

            GOOD - Zone testumgebung.xxx.de

            -------------------------------

            Mapsuser: kerbuser

            Proxy: mwg.myzone.de

            User: alt.testumgebung.xxx.de (Client is within domain testumgebung.xxx.de)

            ktpass -princ HTTP/mwg.myzone.de@TESTUMGEBUNG.XXX.DE -mapuser kerbuser -pass xxxxxxxx -ptype KRB5_NT_PRINCIPAL -crypto All -out mwgsingle1.keytab

             

            klist (on client)

             

            #0>     Client: alt @ TESTUMGEBUNG.XXX.DE

                    Server: krbtgt/TESTUMGEBUNG.XXX.DE @ TESTUMGEBUNG.XXX.DE

                    KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96

                    Ticketkennzeichen 0x40e00000 -> forwardable renewable initial pre_authen

            t

                    Startzeit: 5/30/2016 8:44:31 (lokal)

                    Endzeit:   5/30/2016 18:44:31 (lokal)

                    Erneuerungszeit: 6/6/2016 8:44:31 (lokal)

                    Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96

             

             

            #1>     Client: alt @ TESTUMGEBUNG.XXX.DE

                    Server: HTTP/mwg.myzone.de @ TESTUMGEBUNG.XXX.DE

                    KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96

                    Ticketkennzeichen 0x40a00000 -> forwardable renewable pre_authent

                    Startzeit: 5/30/2016 8:44:31 (lokal)

                    Endzeit:   5/30/2016 18:44:31 (lokal)

                    Erneuerungszeit: 6/6/2016 8:44:31 (lokal)

                    Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96

             

             

             

             

                  

            GOOD - Zone testneu.xxx.de

            --------------------------

             

            Mapsuser: kerbuserneu

            Proxy: mwg.myzone.de

            User: neu.testneu.xxx.de (Client is within domain testneu.xxx.de)

            ktpass -princ HTTP/mwg.myzone.de@TESTNEU.XXX.DE -mapuser kerbuserneu -pass xxxxxxxx -ptype KRB5_NT_PRINCIPAL -crypto All -out tabneu.keytab

             

            klist (on client):

             

            #0>     Client: neu @ TESTNEU.XXX.DE

                    Server: krbtgt/TESTNEU.XXX.DE @ TESTNEU.XXX.DE

                    KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96

                    Ticketkennzeichen 0x40e00000 -> forwardable renewable initial pre_authen

            t

                    Startzeit: 5/30/2016 8:53:37 (lokal)

                    Endzeit:   5/30/2016 18:53:37 (lokal)

                    Erneuerungszeit: 6/6/2016 8:53:37 (lokal)

                    Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96

             

             

            #1>     Client: neu @ TESTNEU.XXX.DE

                    Server: HTTP/mwg.myzone.de @ TESTNEU.XXX.DE

                    KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96

                    Ticketkennzeichen 0x40a00000 -> forwardable renewable pre_authent

                    Startzeit: 5/30/2016 8:53:37 (lokal)

                    Endzeit:   5/30/2016 18:53:37 (lokal)

                    Erneuerungszeit: 6/6/2016 8:53:37 (lokal)

                    Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96

             

             

             

             

            FAIL - Trusted Zones

            --------------------

             

            Now I created a bidirectional trust between  testumgebung.xxx.de and testneu.xxx.de. I created the mapuser within testumgebung.xxx.de.

             

            Mapsuser: kerbuser

            Proxy: mwg.myzone.de

            ktpass -princ HTTP/mwg.myzone.de@TESTUMGEBUNG.XXXX.DE -mapuser kerbuser -pass xxxxxxxx -ptype KRB5_NT_PRINCIPAL -crypto All -out mwgtrusted.keytab

             

            For users within testumgebung.xxx.de authentication works fine. For users within testneu.xxx.de authentication fails. Following the troubleshootings for user neu.testneu.xxx.de (within domain TESTNEU.XXX.DE):

             

            klist (on client):

             

            #0>     Client: neu @ TESTNEU.XXX.DE

                    Server: krbtgt/TESTNEU.XXX.DE @ TESTNEU.XXX.DE

                    KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96

                    Ticketkennzeichen 0x40e00000 -> forwardable renewable initial pre_authent

                    Startzeit: 5/30/2016 9:07:19 (lokal)

                    Endzeit:   5/30/2016 19:07:19 (lokal)

                    Erneuerungszeit: 6/6/2016 9:07:19 (lokal)

                    Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96

             

             

            So the client did not receive a kerberos ticket at all!

             

            MWG Log:

            [2016-05-30 09:09:11.479 +02:00] [4006] Kerberos (524, 192.168.50.50) URL: http://10.1.17.108/

            [2016-05-30 09:09:11.480 +02:00] [4006] Kerberos (524, 192.168.50.50) Configuration: Kerberos_neu Connection: 0x7f05a1519d10 RR: 0x7f059b48bfb0

            [2016-05-30 09:09:11.480 +02:00] [4006] Kerberos (524, 192.168.50.50) Added authentication method: Negotiate

            [2016-05-30 09:09:11.480 +02:00] [4006] Kerberos (524, 192.168.50.50) Authentication didn't return values, failure ID: 4, authentication failed: 0

             

            Network trace on proxy port:

            GET http://10.1.17.108/ HTTP/1.1

            Host: 10.1.17.108

            User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0

            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

            Accept-Language: de,en-US;q=0.7,en;q=0.3

            Accept-Encoding: gzip, deflate

            Connection: keep-alive

            Pragma: no-cache

            Cache-Control: no-cache

             

            HTTP/1.1 407 authenticationrequired

            Via: 1.1 192.168.50.215 (McAfee Web Gateway 7.5.2.2.0.19971)

            Date: Mon, 30 May 2016 07:09:43 GMT

            Content-Type: text/html

            Cache-Control: no-cache

            Content-Length: 3932

            Proxy-Connection: Keep-Alive

            Proxy-Authenticate: Negotiate

             

            ...

            GET http://10.1.17.108/ HTTP/1.1

            Host: 10.1.17.108

            User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:37.0) Gecko/20100101 Firefox/37.0

            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

            Accept-Language: de,en-US;q=0.7,en;q=0.3

            Accept-Encoding: gzip, deflate

            Connection: keep-alive

            Pragma: no-cache

            Cache-Control: no-cache

            Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==

             

            HTTP/1.1 403 authenticationrequired

            Via: 1.1 192.168.50.215 (McAfee Web Gateway 7.5.2.2.0.19971)

            Date: Mon, 30 May 2016 07:09:43 GMT

            Content-Type: text/html

            Cache-Control: no-cache

            Content-Length: 3932

            Proxy-Connection: Keep-Alive

             

             

            Network trace on kerberos port 88:

            I get an AS-REQ

            Answer is an error eRR-PREAUTH-REQUIRED

            Then I get another AS-REQ and a AS-REP

            Then I get a TGS-REQ following an error eRR-S-PRINCIPAL-UNKNOWN (realm TESTNEU.XXX.DE)

             

             

            It seems the mapuser must be within testneu.xxx.de but is only within testumgebung.xxx.de. So how do I manage to authenticate all my 800 customer domains without the need to have 800 mapusers and 800 keytabs? Isn't it possible to have only one mapuser within a central domain trusted to all customers?

             

            Thanks in advace for the help

            Timo

            • 3. Re: Kerberos: How to authenticate several different AD domains with only one keytab?
              Jon Scholten

              Hi Timo,

               

              I'm pretty sure that cross domain trust should work.. do you have an SR #?

               

              I can take it over and work with you offline. Don't post any internal data here.

               

              Best Regards,

              Jon

              • 4. Re: Kerberos: How to authenticate several different AD domains with only one keytab?
                timode

                Hi Jon,

                 

                yes. SR # <4-14326766781>

                 

                best regards

                Timo Steinbach

                • 5. Re: Kerberos: How to authenticate several different AD domains with only one keytab?
                  timode

                  After some different attempts an tries, together with Jon (thanks Jon), we found a solution.

                   

                  Problem was the DNS name of the MWG. The name was not within the AD name space. So the AD of the customer was not able to find the correct AD for authentication. Errormessage was "wrong principal". I changed the DNS name of the MWG to a name which is within the AD namespace (of course also changed the name within the browser proxy settings). Now it works fine.

                   

                  cheers

                  Timo

                  • 6. Re: Kerberos: How to authenticate several different AD domains with only one keytab?
                    Jon Scholten

                    Name routing suffix's are populated by default when joining one domain to another. In Timo's case, it was going to be easier to just use a different DNS name for MWG, than to update the Name routing suffix on all of the (800) customer domains.

                     

                    Now Timo can mark this as answered so I get fake internet points.

                     

                    Best Regards,

                    Jon