AD 2003; MS's ktpass made account corrupted
Douglas E. Engert
deengert at anl.gov
Thu Dec 13 11:42:59 EST 2007
Henoc wrote:
> Excuse me dear Douglas ,
> but I'm French and my english sucks a little bit .
>
My French is worse...
> *) The machine is a windows XP Pro box.
> Already belonging to a domain.
> the ": (not that the computer pre-exist in"
> Was a misspell of " (note that the computer pre-exist..."
>
>
> *) The machine name is WWWSRVHOST which is ALSO is Host name under windows
> as far as I know ? because on the Win2003 box it shows these spn : HOST/
> WWWSRVHOST.... like this BEFORE any of our changes .
Kerberos principals usually have <service>/<FQDN>@<realm>
With HTTP the <service> is "HTTP" upper case.
With a host the <service> is "host" lowercase
<FQDN> should be the hosts fully qualified DNS name in lowercase.
<realm> is lowercase, and matches the AD domain name, and is usually
a FQDN.
Windows clients and AD are case insensitive, and will accept any case.
Windows host principals can be simple names.
Kerberos clients on other platforms, are case sensitive, and will
try and convert a short host name in to a FQDN, using resolve.
>
> *)The AD Domain name on site was CCIAL.local (that is the way windows2003
> spells a simple domain name.)
OK, its usually is a FQDN, and matches the DNS domain, but does not have to.
> For trying to not pollute the case I tried to say it is just a FQDN (fully
> qualified domain name) because if this is a trouble I will make them change
> that after.
>
You want FQDNs. FQDNs are unique.
> So excuse me for the misspelling between FQDN and FDN.
> Next time I will take more time to re-read my post. Specially in a foreign
> language.
> All this was to try not to give you too much annoying details which will
> make you lose your time.
> Apologizes.
>
>
> *)
> my app is a custom app with webserver (NO IIS) and provides some SSO
> facilities via Java and SPNEGO. That's why I have to do all this stuff :
Never tried running a Java server under windows.
You may want to do a Google search for: java gss windows server
> to get the keytab of the XP computer which hosts my web app.
> This is needed for the SSO to work.
> The web server uses some Java 6 techs including the JAAS layer for security
> which is the one that allows the Kerberos token handshaking.
>
>
Java on Windows might beable to use the host's password, and if this
was the case, all that might be needed is to have the AD admin
add a SPN=HTTP/WWWSRVHOST to the existing account. But this might
only work if your server is Windows 2003. You are using XP.
The server does not have to use the same keytab as the host.
And in you case it would be better if it used its own keytab
in a file. The trick is to tell Java where the keytab is.
See:
http://forum.java.sun.com/thread.jspa?threadID=5137494&tstart=75
The Java class Krb5LoginModule says how to do this,
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
for both client and server. The single-signon example
defines a gss.conf for jgss.accept
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/single-signon.html
gss.conf:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true
keyTab="krb5.keytab" doNotPrompt=true useKeyTab=true
principal="xmpp/slushpupie.com at SLUSHPUPIE.COM" debug=true;
};
>
>
> *)
> I talked about cygwin just because it seems mskutil works only under unix.
> They don't have a "real" DNS as they are a simple organization ; just
> windows boxes. So DNS setting is not a real problem here.
>
> ( * ) ( * ) ( * )
> I hope I'm little bit more clear now ?!
> ( * ) ( * ) ( * )
> My job is to give this infamous keytab for the app.
> And for this to work in sun tutorials they ask for the keytab of the
> computer hosting the webserver.
>
> Now I must confess I'm lost :
> It seems you are telling me I should make another spn's keytab but not the
> machine's one ? I don't know how all this will work then as Sun was asking
> for the machine's keytab.
>
Yes, and also have a separate account created in AD for this service. Then
if the password is changed on oneaccount it will not affect the other.
The ktpass /mapuser lists the AD account it use.
>
> I'm not at the office to try all these
> Will be there only tomorrow afternoon or Monday.
>
>
>
> Thank you for your time and your help.
> Sincerly
>
>
> -----Message d'origine-----
> De : Douglas E. Engert [mailto:deengert at anl.gov]
> Envoyé : jeudi 13 décembre 2007 16:15
> À : Henoc
> Cc : kerberos at mit.edu
> Objet : Re: AD 2003; MS's ktpass made account corrupted
>
>
>
> Henoc wrote:
>> Thanks Douglas for your help.
>>
>> Just one thing to make clear for me (I'm not a Kerberos specialist so I
>> would like to be sure ) :
>>
>> So I got my computer WWWSRVHOST joined to my domain
>> It has most of the time these spn already made by AD :
>> HOST/WWWSRVHOST at FQDN.com
>
> (Some of you examples use FQDN, some FDN. You refer to the machine
> as WWWSRVHOST but it also has a DNS hostname. You attempts
> at obfuscating the information in the e-mail is making
> it hard to understand your situation.
>
> First of all, is the computer WWWSRVHOST a Windows machine?
> Is WWWSRVHOST the name?
> What is its DNS name?
> Is it joined to the domain?
> What is the AD domain name?
>
> And you want to run a web server on it?
> If this is all Microsoft servers and web servers, you should not
> have to create any keytabs. It should be done for you.
>
> Are trying to run some web server under cygwin?
>
> If so use two seperate windows accounts, one for the host service
> handled by windows join, and one for the HTTP service,
> and use ktpass. (This keeps them seperate, and avoids the common
> passwrod issue.)
>
> The account name does not have to be the spn.
>
>> My goal is :
>> - (1) - to add a HTTP/WWWSRVHOST at FDN.com SPN to my computer's entry
>> - (2) - then to produce the corresponding Keytab file
>>
>> So to reach this :
>> a)- under a unix box or via cygwin on the same windows I have to install
>> mskutil (didn't succeed finding a windows version )
>
> No there is no. You should not need this with windows.
>
>> b)- emit these kind of command line : (not that the computer pre-exist in
>> the domain;
>
> You said the computer was joined. Now you say it is no.
>
> in most of my client environment it is a windows box on which I
>> have to install my stuff)
>>
>> msktutil -b <base> -k <file> s <HTTP/WWWSRVHOST at FDN.com >
>
> Did you actually get it to run?
>
>>
>> Is that all so simple ?? I can't believe I have been turning around for
>> decades for something so easy.
>> Should post this on different forums to avoid this for other people.
>> I can test before Friday or Monday
>>
>> If I made some huge mistake in my understanding, please let me know
>>
>> Thanks again for your help, which was very useful
>>
>> Sincerely
>>
>>
>
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list