Change AD Service Principal Name - Prompting for Credentials

mashleyttu mashley at gmail.com
Fri Jul 31 18:42:56 EDT 2015 

Hi, We run a customer subscription website. Our customers are other
companies. A few of our customers have requested Single Sign On so their
employees don't have to enter credentials when accessing our site.

We would prefer to only have one domain, but authorize them via different
folders. I've setup two AD instances in our test environment. 

Our setup is as follows:

*krb5.conf*
[libdefaults]
  default_realm = AD.OURCOMPANY.COM
  dns_lookup_realm = false
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true

[realms]
AD.OURCOMPANY.COM = {
  kdc = 172.30.0.222
}
AD2.OURCOMPANY.COM = {
  kdc = 172.30.0.184
}

[domain_realm]
#nothing

*Apache vhost file*
<VirtualHost *:443>
        ServerName test.ourcompany.com
        ....
        <LocationMatch "/ad$">
                AuthType Kerberos
                KrbServiceName HTTP/test.ourcompany.com at AD.OURCOMPANY.COM
                AuthName "The Nice Login Greeting Goes Here"
                KrbMethodNegotiate on
                KrbMethodK5Passwd on
                KrbVerifyKDC off
                KrbAuthRealms AD.OURCOMPANY.COM
                Krb5KeyTab /etc/ad.keytab
                KrbSaveCredentials on
                require valid-user
        </LocationMatch>
        <LocationMatch "/ad2$">
                AuthType Kerberos
                KrbServiceName HTTP/test.ourcompany.com at AD2.OURCOMPANY.COM
                AuthName "The Nice Login Greeting Goes Here"
                KrbMethodNegotiate on
                KrbMethodK5Passwd on
                KrbVerifyKDC off
                KrbAuthRealms AD2.OURCOMPANY.COM
                Krb5KeyTab /etc/ad2.keytab
                KrbSaveCredentials on
                require valid-user
        </LocationMatch>
</VirtualHost>

I thought I had everything working, then I tried to change the password for
AD2 SPN's and it starting prompting for credentials when going to
test.ourcompany.com/ad2. test.ourcompany.com/ad still works great.

Although the domain names are AD and AD2, they are in no way related or have
a trusted relationship. After changing the password on AD2 I created a new
keytab file and restarted apache. 

Before both AD server SPN's had the same username and password so it might
not have been working as I thought it did. I'm not sure??? That is why I
changed one of the SPN's passwords. I also read something about keytab
versions and kerberos might be looking for an older version??

I'm very sorry if this is a novice question. This is our first time doing
anything with Kerberos or LDAP/AD Any assistance would be greatly
appreciated.

Thanks,
Matt





--
View this message in context: http://kerberos.996246.n3.nabble.com/Change-AD-Service-Principal-Name-Prompting-for-Credentials-tp44163.html
Sent from the Kerberos - General mailing list archive at Nabble.com.

More information about the Kerberos mailing list