On Fri, Sep 11, 2009 at 8:56 AM, Caron, Christian <[email protected]> wrote: > Hi list, > > We have been successful in having users authenticate through the > Kerberos mechanism on one website. The website has the same name and > uses the same IP as the server itself (this is the name that was used to > create the Service Principal account). > > When trying to use the same mechanism for a second website (different > name, different IP, same physical server), it doesn't work. > > Is it possible to have only one Service Principal account and "attach" > multiple websites to it and how can we achieve that? We would like to > minimize the number of accounts in AD (if possible, only one per > physical server).
Yes. Unfortunately because the MS ktpass.exe utilitiy is very simple, it's not exactly easy. But first, perhaps it is better to explain how this works. Then you can actually make sense of the solution. When a browser on an AD network authenticates with a website using Kerberos, it goes something like this (this is mostly the same for a non-AD Kerberos authority but most people are using AD so I'll describe it with AD specific language): 1. Browser looks at the URL and derives a Service Principal Name (SPN). For example, if the URL is http://www.example.com/ the SPN will be HTTP/[email protected]. This is just simple text manipulation. 2. Browser asks AD for a "ticket" for that SPN. AD will search through all accounts for one that has a servicePrincipalName attribute that matches the supplied SPN. If one matches, it uses that account and it's corresponding password to create and return the requested ticket. 3. Browser submits the ticket to the HTTP server which decodes it (such as with mod_auth_kerb), looks at the SPN, key version number (kvno) and encryption type and tries to locate a keytab file entry that matches those three criteria exactly. If it finds one, it uses that keytab entry to decrypt the ticket and in doing so authenticate the client. In your case, the relevant part is that the servicePrincipalName attribute on AD accounts is multi-valued. So you can add any number of SPNs to an account using either setspn.exe or ADSI Edit. AD will find the account by any of those names. In fact, people frequently use both long and short names like HTTP/as1.example.com and HTTP/as1 (note that the actual servicePrincipalName attribute value does not include the @EXAMPLE.COM domain part) so that people can authenticate with the site using either http://as1/ as well as http://as1.example.com/. Personally I think using the short names is a bad idea but it seems to work and the short name does not require Intranet zone configuration on the client browser. Note that one thing to watch out for is that AD will fail to return a ticket if the SPN requested is found on more than one account (because it doesn't know which account to use). So be careful that you do not accidentally create multiple service accounts with the same SPN. Now for the bad news. As I stated, ktpass.exe is very simple. It only generates a keytab with *one* entry. Uhg! So it will simply not do the job. However, if you know the password, you can create a keytab yourself using ktutil on a *nix machine with any number of entries. To do that, first run ktpass.exe once and make a note of the output. In particular you want to note the key version number (kvno), encryption type and of course the password you entered. The encryption type might displayed as a name whereas you will need to know the numeric value for that name. Currently this is usally RC4 which I believe is 23 (I don't remember off the top of my head). Now run ktutil on *nix and create an entry for each SPN with the same password, encryption type and kvno, save the keytab and use that with mod_auth_kerb. There are also utilities that can set the password and generate a keytab with multiple SPNs in one go. Also, professional software that does Kerberos auth usually includes some capability to do all of this for you. If you're using a bare-bones solution like mod_auth_kerb, it's up to you to create a keytab. Good luck, Mike -- Michael B Allen PHP Active Directory Integration http://www.ioplex.com/plexcel.html ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
