As part of many organizations, authenticating to a Windows environment is key to providing an overall security structure for internal users. In combination with the SecureSpan SOA Gateway, Layer 7 provides the ability to not only extend the Kerberos frame work being used but allows identity and protocol mapping to a variety of other formats including SAML tokens and Client Based Authentication (SSL Certificates).
Kerberos Workflow Diagram
Configuration of the Kerberos within the SecureSpan Gateway requires the following items:
Create a principal for the Windows service and then map it to the host using the ktpass command:
ktpass –princ http/
ktpass -princ http/gateway.domain.com@DOMAIN.COM -mapuser gateway -pass password -out kerberos.keytab
This produces the output file kerberos.keytab.
Expanded output from running this command:
Targeting domain controller: dc1.domain.com
Failed to set property "servicePrincipalName" to "gateway.domain.com" on Dn "CN=gateway,CN=Users,DC=domain,DC=com": 0x13.
WARNING: pType and account type do not match. This might cause problems.
Output keytab to kerberos.keytab:
Keytab version: 0x502
keysize 65 gateway.domain.com@DOMAIN.COM ptype 0 (KRB5_NT_UNKNOWN) vno 2 etype
Install the kerberos.keytab file using the SecureSpan Manager
**Note: The example included above outlines what a successfully keytab validation should output to the window. If an error was to occur the items listed in the troubleshooting section describe known configuration requirements and steps to resolve.
The SecureSpan SOA Gateway supports Kerberos Delegation functionality to allow for credentials to be extracted from the request Kerberos token to request a service ticket for routing. The service account setup in the previous sections will need to be updated to allow for delegation. This is done by modifying the Delegation tab for the user within Active Directory and setting the radio button shown below.
In addition the “Use Windows Integrated” and “Use Delegated Credentials” radio buttons will need to be selected from within the HTTP Routing assertion -> Security Tab.
Hostname resolution – The DNS entry for the SecureSpan Gateway Cluster hostname needs to be configured for both forward and reverse DNS lookup.
Time Skew – As with all token based authentication, time representation between the various entities in the infrastructure plays an integral part in validation. Ensure that a time server is being utilized for the SecureSpan Gateway cluster which is in-sync with the Active Directory environment.
Incorrect encryption level - Older versions of the ktpass command will not generate the keytab files with RC4-HMAC encryption instead DES-CBC-MD5 will be used. Download the latest ktpass command from Microsoft.
Hostname mismatch- Ensure that the service name generated for keytab matches the name set in the client Kerberos token.