Header Image

Establishing Kerberos Token-Based Authentication

As part of many organizations, authenticating to a Windows environment is key to providing an overall security structure for internal users. In combination with the SecureSpan SOA Gateway, Layer 7 provides the ability to not only extend the Kerberos frame work being used but allows identity and protocol mapping to a variety of other formats including SAML tokens and Client Based Authentication (SSL Certificates).

Kerberos Workflow Diagram

Kerberos Workflow Diagram - Layer 7 Technologies

 

Configuration of the Kerberos within the SecureSpan Gateway requires the following items:

  • A standard user in the Active Directory to be used as a service user for the SecureSpan Gateway
    ** Note: Ensure that the DES encryption checkbox is unchecked on the account tab of the user

    Kerberos User Descriptions - Layer 7 Technologies

  • Access to the Windows ktpass command
  • Administrator rights within the SecureSpan Manager
  • Usage of the following assertions in policy: “Require Windows Integrated Authentication Credentials” or “Require WS-Security Kerberos Token Profile Credentials.”

Management of the Kerberos Keytab file

Create a principal for the Windows service and then map it to the host using the ktpass command:
ktpass –princ http/@DOMAIN.COM –mapuser -pass –out kerberos.keytab

For example:
ktpass -princ http/gateway.domain.com@DOMAIN.COM -mapuser gateway -pass password -out kerberos.keytab

This produces the output file kerberos.keytab.

Expanded output from running this command:

Targeting domain controller: dc1.domain.com

Failed to set property "servicePrincipalName" to "gateway.domain.com" on Dn "CN=gateway,CN=Users,DC=domain,DC=com": 0x13.

WARNING: pType and account type do not match. This might cause problems.

Key created.

Output keytab to kerberos.keytab:

Keytab version: 0x502

keysize 65 gateway.domain.com@DOMAIN.COM ptype 0 (KRB5_NT_UNKNOWN) vno 2 etype

 

Install the kerberos.keytab file using the SecureSpan Manager

  1. Open the Kerberos Configuration Menu located within the Tasks Menu list
    Open the Kerberos Configuration Menu - Layer 7 Technologies
  2. From the Kerberos Configuration, click “Load Keytab” button and select the keytab file created for this SecureSpan Cluster.
    Kerberos Configuration Example - Layer 7 Technologies

    **Note: The example included above outlines what a successfully keytab validation should output to the window. If an error was to occur the items listed in the troubleshooting section describe known configuration requirements and steps to resolve.

Configuration of Kerberos Delegation

The SecureSpan SOA Gateway supports Kerberos Delegation functionality to allow for credentials to be extracted from the request Kerberos token to request a service ticket for routing. The service account setup in the previous sections will need to be updated to allow for delegation. This is done by modifying the Delegation tab for the user within Active Directory and setting the radio button shown below.

Kerberos User Delegation - Layer 7 Technologies

In addition the “Use Windows Integrated” and “Use Delegated Credentials” radio buttons will need to be selected from within the HTTP Routing assertion -> Security Tab.

Kerberos Routing Properties - Layer 7 Technologies

 

Troubleshooting

Hostname resolution – The DNS entry for the SecureSpan Gateway Cluster hostname needs to be configured for both forward and reverse DNS lookup.

Time Skew – As with all token based authentication, time representation between the various entities in the infrastructure plays an integral part in validation. Ensure that a time server is being utilized for the SecureSpan Gateway cluster which is in-sync with the Active Directory environment.

Incorrect encryption level - Older versions of the ktpass command will not generate the keytab files with RC4-HMAC encryption instead DES-CBC-MD5 will be used. Download the latest ktpass command from Microsoft.

Hostname mismatch- Ensure that the service name generated for keytab matches the name set in the client Kerberos token.

Establishing Kerberos Token-Based Authentication