Kerberos Authentication against Multiple Domains



By: gmohan

October 10, 2013 1:15 pm

Reads: 945

Comments:2

Rating:5.0

The document describes accessing resources across forests using NetIQ Access Manager – Kerberos Authentication.

Pre-requisites:

  1. Kerberos cross realm trust need to be enabled for both the domains
  2. Make sure that the Kerberos service user account you have set up does not have “Use DES encryption types for this account” selected. If it is already selected, then you must unchecked it and reset the password. It is not possible for the same SPN/service user account to support both DES and RC4-HMAC security. It must be one or the other.
  3. Make sure that the Kerberos service user account password is matching on both domains (PRIMARY.COM and OTHER.COM)

Generating keytab files:

ktpass /out PRIMARY.keytab /princ HTTP/sso.test.com@PRIMARY.COM /mapuser nm093secidp01@PRIMARY.COM /pass N0v3ll@12 /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /kvno 0

ktpass /out OTHER.keytab /princ HTTP/sso.test.com@OTHER.COM /mapuser nm093secidp01@OTHER.COM /pass N0v3ll@12 /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /kvno 0

Merging Key tab files:

If you have multiple keytab files that need to be in one place, you can merge the keys with the ktutil command.

MergingKeytabfiles

bcsLogin.conf:

Make sure configuration you do in bcsLogin.conf is required by the service to read the merged keytab information.

bcsLogin.conf

User Stores:

Add both the user stores (PRIMARY.COM and OTHER.COM) in the IDP cluster.

UserStores

UPN Suffix:

UPN presented in the ticket to search for the user, and that the UPN suffix list would configure to accept different UPN suffixes.

KerberosClass

Enter only the second domain in the UPN Suffixes, in our case it’s OTHER.com and add both the user stores in Kerberos Methods.

Note: Implementation procedures on Windows 2008 R2 are basically the same as with other Windows versions. However, since DES cipher by default is disabled in Windows 2008 R2. Enable DES cipher support on Windows 2008 R2. See the following tech note from Microsoft:

http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx
http://support.microsoft.com/kb/978055

VN:F [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)
Kerberos Authentication against Multiple Domains, 5.0 out of 5 based on 2 ratings

Tags:
Categories: Access Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

2 Comments

  1. By:TellierS

    Hi

    I try to implement multi domain authentication but I have some issue.

    The keytab is generated for each domain. It works for each domain, but when I use the merge keytab, I receive the login screen in place.

    I use nam 3.1.5, on which version have you tested this solution?

    I have a misuderstanding with following:

    Make sure that the Kerberos service user account you have set up does not have “Use DES encryption types for this account” selected. If it is already selected, then you must unchecked it and reset the password. It is not possible for the same SPN/service user account to support both DES and RC4-HMAC security. It must be one or the other.

    and

    Note: Implementation procedures on Windows 2008 R2 are basically the same as with other Windows versions. However, since DES cipher by default is disabled in Windows 2008 R2. Enable DES cipher support on Windows 2008 R2. See the following tech note from Microsoft:

  2. By:TellierS

    Other question:

    What about the method, I suppose we need to add primary domain and secondary domain in the stores configuration in the method.

Comment