how many SPN is required if policy server is in Linux
Article ID: 132015
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
We'd like to know how many SPN is required if the Policy Server runs
on Linux ?
As running on Linux, should be there Host keytab to register the OS
too ?
And if such, should Service keytab and Host keytab be merged ?
Environment
Policy Server on 12.8SP1 on RedHat 7.1;
CA Access Gateway (SPS) on 12.8SP1 on RedHat 7.1;
KDC on Active Directory;
CA Access Gateway (SPS) on 12.8SP1 on RedHat 7.1;
KDC on Active Directory;
Resolution
At first glance, you need only one SPN for the Policy Server running
on Linux.
As per documentation, you do need host and service
SPN for the Policy Server that you'll merge in a single .keytab file
KDC Configuration on UNIX Example
Create a user principal (for example, testwakrb), a host principal
(host/[email protected], and a service principal
(HTTP/[email protected]) for the web server host. The
password used for creating host account must be same as the password
specified when using the ksetup utility on the web server host.
Create a user principal (testpskrb), host principal
(host/[email protected]) and service principal
(smps/[email protected]) for the Policy Server host. The
password used for creating host account must be same as the password
specified when using the ksetup utility on the Policy Server host.
---
Kerberos Configuration at the Policy Server on UNIX Example
Use the ktutil utility to merge the keytab files
(sol10ps_smps.keytab & sol10ps_host.keytab) containing the host
principal and service principal names for the Policy Server host in
the /etc/krb5.keytab file:
ktutil: rkt sol10ps_host.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
ktutil: rkt sol10ps_smps.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
Verify the created krb5.keytab as follows:
klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/[email protected]
3 smps/[email protected]
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/ca-access-gateway-configuration/configure-ca-access-gateway-to-support-integrated-windows-authentication#ConfigureCAAccessGatewaytoSupportIntegratedWindowsAuthentication-KDCConfigurationonUNIXExample
More, for the Policy Server host and service keytab, you have to
create a different account. Our Documentation gives steps :
KDC Configuration on UNIX Example
4. Create a user principal (for example, testwakrb), a host principal
(host/[email protected], and a service principal
(HTTP/[email protected]) for the web server host.
5. Create a user principal (testpskrb), host principal
(host/[email protected]) and service principal
(smps/[email protected]) for the Policy Server
host. The password used for creating host account must be same as
the password specified when using the ksetup utility on the Policy
Server host.
[...]
14. Use the ktutil utility to merge the keytab files
(sol10ps_smps.keytab & sol10ps_host.keytab) containing the host
principal and service principal names for the Policy Server host
in the /etc/krb5.keytab file:
ktutil: rkt sol10ps_host.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
ktutil: rkt sol10ps_smps.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/ca-access-gateway-configuration/configure-ca-access-gateway-to-support-integrated-windows-authentication
The Flow of the Kerberos Authentication Scheme is described by this
KD :
The sequence of Kerberos Authentication.
https://comm.support.ca.com/kb/the-sequence-of-kerberos-authentication/kb000014920
More you may consider to apply the SP2 to your components which brings
4 fixes about Kerberos.
Defects Fixed in 12.8.02
| # | Fix | Details |
|----------+----------+------------------------------------------------------|
| 00955340 | DE345303 | Policy Server fails to close or reuse file |
| | | handles in Kerberos authentication, and it restarts. |
| 00994201 | DE354477 | erberos constrained delegation fails if the |
| | | tickets of Policy Server and Agent have expired. |
| 01121257 | DE371188 | CA Access Gateway crashes under load when |
| | | Kerberos authentication is configured. |
| 00994201 | DE354477 | Kerberos constrained delegation fails if |
| | | the tickets of Policy Server and Agent have expired. |
https://docops.ca.com/ca-single-sign-on/12-8/en/release-notes/service-packs/defects-fixed-in-12-8-02
Finally, our Documentation provides a section to troubleshooting Kerberos issues :
Troubleshoot Kerberos Authentication Setup
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication/troubleshoot-kerberos-authentication-setup
on Linux.
As per documentation, you do need host and service
SPN for the Policy Server that you'll merge in a single .keytab file
KDC Configuration on UNIX Example
Create a user principal (for example, testwakrb), a host principal
(host/[email protected], and a service principal
(HTTP/[email protected]) for the web server host. The
password used for creating host account must be same as the password
specified when using the ksetup utility on the web server host.
Create a user principal (testpskrb), host principal
(host/[email protected]) and service principal
(smps/[email protected]) for the Policy Server host. The
password used for creating host account must be same as the password
specified when using the ksetup utility on the Policy Server host.
---
Kerberos Configuration at the Policy Server on UNIX Example
Use the ktutil utility to merge the keytab files
(sol10ps_smps.keytab & sol10ps_host.keytab) containing the host
principal and service principal names for the Policy Server host in
the /etc/krb5.keytab file:
ktutil: rkt sol10ps_host.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
ktutil: rkt sol10ps_smps.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
Verify the created krb5.keytab as follows:
klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/[email protected]
3 smps/[email protected]
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/ca-access-gateway-configuration/configure-ca-access-gateway-to-support-integrated-windows-authentication#ConfigureCAAccessGatewaytoSupportIntegratedWindowsAuthentication-KDCConfigurationonUNIXExample
More, for the Policy Server host and service keytab, you have to
create a different account. Our Documentation gives steps :
KDC Configuration on UNIX Example
4. Create a user principal (for example, testwakrb), a host principal
(host/[email protected], and a service principal
(HTTP/[email protected]) for the web server host.
5. Create a user principal (testpskrb), host principal
(host/[email protected]) and service principal
(smps/[email protected]) for the Policy Server
host. The password used for creating host account must be same as
the password specified when using the ksetup utility on the Policy
Server host.
[...]
14. Use the ktutil utility to merge the keytab files
(sol10ps_smps.keytab & sol10ps_host.keytab) containing the host
principal and service principal names for the Policy Server host
in the /etc/krb5.keytab file:
ktutil: rkt sol10ps_host.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
ktutil: rkt sol10ps_smps.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/ca-access-gateway-configuration/configure-ca-access-gateway-to-support-integrated-windows-authentication
The Flow of the Kerberos Authentication Scheme is described by this
KD :
The sequence of Kerberos Authentication.
https://comm.support.ca.com/kb/the-sequence-of-kerberos-authentication/kb000014920
More you may consider to apply the SP2 to your components which brings
4 fixes about Kerberos.
Defects Fixed in 12.8.02
| # | Fix | Details |
|----------+----------+------------------------------------------------------|
| 00955340 | DE345303 | Policy Server fails to close or reuse file |
| | | handles in Kerberos authentication, and it restarts. |
| 00994201 | DE354477 | erberos constrained delegation fails if the |
| | | tickets of Policy Server and Agent have expired. |
| 01121257 | DE371188 | CA Access Gateway crashes under load when |
| | | Kerberos authentication is configured. |
| 00994201 | DE354477 | Kerberos constrained delegation fails if |
| | | the tickets of Policy Server and Agent have expired. |
https://docops.ca.com/ca-single-sign-on/12-8/en/release-notes/service-packs/defects-fixed-in-12-8-02
Finally, our Documentation provides a section to troubleshooting Kerberos issues :
Troubleshoot Kerberos Authentication Setup
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication/troubleshoot-kerberos-authentication-setup
Feedback
Yes
No
Powered by
