AD 2003; MS's ktpass made account corrupted

Henoc@gbconcept.com henoc at gbconcept.com
Tue Jan 15 13:23:46 EST 2008 

Douglas,
Thanks for your help, and excuse me for the time it takes me to get back 
on this project.

We had other concerns so...

So anyway now I'm back on it and this mail is to say "Merci" in french.

for others with the same trouble :
I just had to create a simple user and not using the machine's account 
and it worked like a charm.

Indeed what is specified on the java website claiming you MUST use the 
webserver host's account is false.



Again Merci Douglas for answering me and putting me on the good direction.

Cheers & Best Wishes for the brand new 2008


Douglas E. Engert a écrit :
>
>
> Henoc wrote:
>> Excuse me dear Douglas , but I'm French and my english sucks  a 
>> little bit .
>>
>
> My French is worse...
>
>
>> *) The machine is a windows XP Pro box.
>> Already belonging to a domain.
>>            the ": (not that the computer pre-exist in"
>>            Was a misspell of " (note that the computer pre-exist..."
>>
>>
>> *) The machine name is WWWSRVHOST which is ALSO is Host name under 
>> windows
>> as far as I know ? because on the Win2003 box it shows these spn : HOST/
>> WWWSRVHOST.... like this BEFORE any of our changes .
>
> Kerberos principals usually have <service>/<FQDN>@<realm>
>
> With HTTP the <service> is "HTTP" upper case.
> With a host the <service> is "host" lowercase
> <FQDN> should be the hosts fully qualified DNS name in lowercase.
> <realm> is lowercase, and matches the AD domain name, and is usually
> a FQDN.
>
> Windows clients and AD are case insensitive, and will accept any case.
> Windows host principals can be simple names.
>
> Kerberos clients on other platforms, are case sensitive, and will
> try and convert a short host name in to a FQDN, using resolve.
>
>>
>> *)The AD Domain name on site was CCIAL.local (that is the way 
>> windows2003
>> spells a simple domain name.)
>
> OK, its usually is a FQDN, and matches the DNS domain, but does not 
> have to.
>
>> For trying to not pollute the case I tried to say it is just a FQDN 
>> (fully
>> qualified domain name) because if this is a trouble I will make them 
>> change
>> that after.
>>
>
> You want FQDNs. FQDNs are unique.
>
>> So excuse me for the misspelling between FQDN and FDN. Next time I 
>> will take more time to re-read my post. Specially in a foreign
>> language.
>> All this was to try not to give you too much annoying details which will
>> make you lose your time.
>> Apologizes.
>>
>>
>> *)
>> my app is a custom app with webserver (NO IIS) and provides some SSO
>> facilities via Java and SPNEGO. That's why I have to do all this stuff :
>
> Never tried running a Java server under windows.
>
> You may want to do a Google search for:  java gss windows server
>
>> to get the keytab of the XP computer which hosts my web app.
>> This is needed for the SSO to work.
>> The web server uses some Java 6 techs including the JAAS layer for 
>> security
>> which is the one that allows the Kerberos token handshaking.
>>
>>
>
> Java on Windows might beable to use the host's password, and if this
> was the case, all that might be needed is to have the AD admin
> add a SPN=HTTP/WWWSRVHOST to the existing account. But this might
> only work if  your server is Windows 2003. You are using XP.
>
>
> The server does not have to use the same keytab as the host.
> And in you case it would be better if it used its own keytab
> in a file. The trick is to tell Java where the keytab is.
>
> See:
> http://forum.java.sun.com/thread.jspa?threadID=5137494&tstart=75
>
> The Java class Krb5LoginModule says how to do this,
>
> http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html 
>
>
> for both client and server. The single-signon example
> defines a gss.conf for jgss.accept
>
>
> http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/single-signon.html 
>
>
>  gss.conf:
>  com.sun.security.jgss.accept {
>    com.sun.security.auth.module.Krb5LoginModule required storeKey=true
>  keyTab="krb5.keytab" doNotPrompt=true useKeyTab=true
>  principal="xmpp/slushpupie.com at SLUSHPUPIE.COM" debug=true;
>  };
>
>
>>
>>
>> *)
>> I talked about cygwin just because it seems mskutil works only under 
>> unix.
>> They don't have a "real" DNS as they are a simple organization ; just
>> windows boxes. So DNS setting is not a real problem here.
>>
>>   ( * )  ( * )  ( * )
>> I hope I'm little bit more clear now ?!
>>   ( * )  ( * )  ( * )
>> My job is to give this infamous keytab for the app.
>> And for this to work in sun tutorials they ask for the keytab of the
>> computer hosting the webserver.
>>
>> Now I must confess I'm lost :
>> It seems you are telling me I should make another spn's keytab but 
>> not the
>> machine's one ? I don't know how all this will work then as Sun was 
>> asking
>> for the machine's keytab.
>>
>
> Yes, and also have a separate account created in AD for this service. 
> Then
> if the password is changed on oneaccount it will not affect the other.
>
> The ktpass /mapuser lists the AD account it use.
>
>>
>> I'm not at the office to try all these Will be there only tomorrow 
>> afternoon or Monday.
>>  
>>
>>
>> Thank you for your time and your help.
>> Sincerly
>>
>>
>> -----Message d'origine-----
>> De : Douglas E. Engert [mailto:deengert at anl.gov] Envoyé : jeudi 13 
>> décembre 2007 16:15
>> À : Henoc
>> Cc : kerberos at mit.edu
>> Objet : Re: AD 2003; MS's ktpass made account corrupted
>>
>>
>>
>> Henoc wrote:
>>> Thanks Douglas for your help.
>>>
>>> Just one thing to make clear for me (I'm not a Kerberos specialist so I
>>> would like to be sure ) :
>>>
>>> So I got my computer WWWSRVHOST  joined to my domain It has most of 
>>> the time these spn already made by AD :
>>> HOST/WWWSRVHOST at FQDN.com
>>
>> (Some of you examples use FQDN, some FDN. You refer to the machine
>> as WWWSRVHOST but it also has a DNS hostname. You attempts
>> at obfuscating the information in the e-mail is making
>> it hard to understand your situation.
>>
>> First of all, is the computer WWWSRVHOST a Windows machine?
>> Is WWWSRVHOST the name?
>> What is its  DNS name?
>> Is it joined to the domain?
>> What is the AD domain name?
>>
>> And you want to run a web server on it?
>> If this is all Microsoft servers and web servers, you should not
>> have to create any keytabs. It should be done for you.
>>
>> Are trying to run some web server under cygwin?
>>
>> If so use two seperate windows accounts, one for the host service
>> handled by windows join, and one for the HTTP service,
>> and use ktpass. (This keeps them seperate, and avoids the common
>> passwrod issue.)
>>
>> The account name does not have to be the spn.
>>
>>> My goal is :
>>> - (1) - to add a HTTP/WWWSRVHOST at FDN.com  SPN to my computer's entry
>>> - (2) - then to produce the corresponding Keytab file
>>>
>>> So to reach this :
>>> a)- under a unix box or via cygwin on the same windows I have to 
>>> install
>>> mskutil (didn't succeed finding a windows version )
>>
>> No there is no. You should not need this with windows.
>>
>>> b)- emit these kind of command line : (not that the computer 
>>> pre-exist in
>>> the domain; 
>>
>> You said the computer was joined. Now you say it is no.
>>
>> in most of my client environment it is a windows box on which I
>>> have to install my stuff)
>>>
>>> msktutil -b <base> -k <file> s <HTTP/WWWSRVHOST at FDN.com >
>>
>> Did you actually get it to run?
>>
>>>
>>> Is that all so simple  ?? I can't believe I have been turning around 
>>> for
>>> decades for something so easy. Should post this on different forums 
>>> to avoid this for other people.
>>> I can test before Friday or Monday
>>>
>>> If I made some huge mistake in my understanding, please let me know
>>>
>>> Thanks again for your help, which was very useful
>>> Sincerely
>>>
>>>
>>
>>
>>
>

More information about the Kerberos mailing list