how many SPN is required if policy server is in Linux

book

Article ID: 132015

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



  We'd like to know how many SPN is required if the Policy Server runs
  on Linux ? 

  As running on Linux, should be there Host keytab to register the OS
  too ?

  And if such, should Service keytab and Host keytab be merged ?

Environment

Policy Server on 12.8SP1 on RedHat 7.1; 
CA Access Gateway (SPS) on 12.8SP1 on RedHat 7.1; 
KDC on Active Directory; 

Resolution

At first glance, you need only one SPN for the Policy Server running
on Linux.

As per documentation, you do need host and service 
SPN for the Policy Server that you'll merge in a single .keytab file

KDC Configuration on UNIX Example 

Create a user principal (for example, testwakrb), a host principal 
(host/[email protected], and a service principal 
(HTTP/[email protected]) for the web server host. The 
password used for creating host account must be same as the password 
specified when using the ksetup utility on the web server host. 

Create a user principal (testpskrb), host principal 
(host/[email protected]) and service principal 
(smps/[email protected]) for the Policy Server host. The 
password used for creating host account must be same as the password 
specified when using the ksetup utility on the Policy Server host. 

--- 

Kerberos Configuration at the Policy Server on UNIX Example 

Use the ktutil utility to merge the keytab files 
(sol10ps_smps.keytab & sol10ps_host.keytab) containing the host 
principal and service principal names for the Policy Server host in 
the /etc/krb5.keytab file: 

ktutil: rkt sol10ps_host.keytab 
ktutil: wkt /etc/krb5.keytab 
ktutil: q 
ktutil: rkt sol10ps_smps.keytab 
ktutil: wkt /etc/krb5.keytab 
ktutil: q 
Verify the created krb5.keytab as follows: 

klist -k 
Keytab name: FILE:/etc/krb5.keytab 
KVNO Principal 
---- -------------------------------------------------------------------------- 
3 host/[email protected] 
3 smps/[email protected] 

https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/ca-access-gateway-configuration/configure-ca-access-gateway-to-support-integrated-windows-authentication#ConfigureCAAccessGatewaytoSupportIntegratedWindowsAuthentication-KDCConfigurationonUNIXExample 

More, for the Policy Server host and service keytab, you have to
create a different account. Our Documentation gives steps :

KDC Configuration on UNIX Example 

4. Create a user principal (for example, testwakrb), a host principal 
  (host/[email protected], and a service principal 
  (HTTP/win2k8sps.example.co[email protected]) for the web server host. 

5. Create a user principal (testpskrb), host principal 
   (host/[email protected]) and service principal 
   (smps/[email protected]) for the Policy Server 
   host. The password used for creating host account must be same as 
   the password specified when using the ksetup utility on the Policy 
   Server host. 

   [...] 

14. Use the ktutil utility to merge the keytab files 
   (sol10ps_smps.keytab & sol10ps_host.keytab) containing the host 
   principal and service principal names for the Policy Server host 
   in the /etc/krb5.keytab file: 

   ktutil: rkt sol10ps_host.keytab 
   ktutil: wkt /etc/krb5.keytab 
   ktutil: q 
   ktutil: rkt sol10ps_smps.keytab 
   ktutil: wkt /etc/krb5.keytab 
   ktutil: q 

https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/ca-access-gateway-configuration/configure-ca-access-gateway-to-support-integrated-windows-authentication 

The Flow of the Kerberos Authentication Scheme is described by this
KD :

  The sequence of Kerberos Authentication. 
  https://comm.support.ca.com/kb/the-sequence-of-kerberos-authentication/kb000014920 

More you may consider to apply the SP2 to your components which brings 
4 fixes about Kerberos. 

Defects Fixed in 12.8.02 

  |        # | Fix      | Details                                              |
  |----------+----------+------------------------------------------------------|
  | 00955340 | DE345303 | Policy Server fails to close or reuse file           |
  |          |          | handles in Kerberos authentication, and it restarts. |
  | 00994201 | DE354477 | erberos constrained delegation fails if the          |
  |          |          | tickets of Policy Server and Agent have expired.     |
  | 01121257 | DE371188 | CA Access Gateway crashes under load when            |
  |          |          | Kerberos authentication is configured.               |
  | 00994201 | DE354477 | Kerberos constrained delegation fails if             |
  |          |          | the tickets of Policy Server and Agent have expired. |

https://docops.ca.com/ca-single-sign-on/12-8/en/release-notes/service-packs/defects-fixed-in-12-8-02 

Finally, our Documentation provides a section to troubleshooting Kerberos issues : 

  Troubleshoot Kerberos Authentication Setup 
  https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication/troubleshoot-kerberos-authentication-setup