ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software
Avocent, the Avocent logo, The Power of Being There and DSView are registered trademarks of Avocent Corporation or its affiliates in the U.S. and other countries. All other marks are the property of their respective owners. 2009 Avocent Corporation.
1 Configuring DSView 3 Management Software to Enable Single Sign-On with SPNEGO and Kerberos To register a DSView 3 server in the DNS: 1. Make sure you have the DSView 3 software installed. 2. Log on to your DNS server as an administrator. 3. Open the DNS management console (Start-Programs-Administrative Tools-DNS). 4. Select a Forward Lookup zone where the DSView 3 server will be registered. NOTE: It is recommended this be the same zone where the Active Directory domain controller computer is registered. 5. Right click over the Lookup zone and select New Host... 6. Enter the DSView 3 server name and its IP Address. NOTE: Make a note of the fully qualified domain name (FQDN). Figure 1: New Host Screen
2 Technical Bulletin To configure an Active Directory (AD) Server to add an SPN user: NOTE: In order to configure the Active Directory Server to add an SPN user, you must have admin rights to the Active Directory Server and the ktpass command must be available. 1. Log on to the AD server as an administrator and run the Active Directory User and Computers snap-in application. 2. Select the login domain. 3. Select the Users folder and right click to select the New User option. Enter the name of the DSView 3 server in the First Name, User Logon Name and User Logon Name (pre-windows 2000) fields. Figure 2: New Object - User Screen 4. Click Next and enter a password that will be used in step 5 for the ktpass command. Check the box next to Password never expires and click Next to complete the Wizard.
Configuring DSView 3 Management Software to Enable Single Sign-On with SPNEGO and Kerberos 3 Figure 3: New Object - User Password Screen 5. Open a console command window and execute the following command to create the file that stores the SPN credentials: ktpass -princ HTTP/<dns_name>@<DOMAIN> -pass <user_password> -mapuser <user_name> -out <keytab_file_name> -ptype KRB5_NT_PRINCIPAL Where: <dns_name> is the FQDN you received when you registered the DSView 3 software in the DNS. <DOMAIN> is the login domain used when you configured the Active Directory Server. <user_password> is the password entered in step 4. <user_name> is the user created in step 3. < keytab_file_name> is the full path and name of the keytab file to store the SPN credentials. Example: ktpass -princ HTTP/sun-ipv6 vista.testlab.avocent.com@testlab.avocent.com -pass password123 - mapuser sun-ipv6-vista -out c:\myfile.keytab -ptype KRB5_NT_PRINCIPAL
4 Technical Bulletin NOTE: The keytab file must be copied to the computer running DSView 3 software in the <%DSView install directory%/bin> directory and it must be renamed kerberos.keytab. To configure the DSView 3 server: NOTE: The Active Directory Server must be configured prior to configuring the DSView 3 server. 1. Copy the keytab file obtained when you configured the Active Directory Server and paste it to the <%Dsview install directory%/bin> directory. 2. Rename it kerberos.keytab. 3. Enable Single Sign-On support by navigating to the following DSView 3 software page: System-DSView Server-DSView name-properties-dsview Client Sessions, then select Enable Integrated Windows Authentication. Figure 4: DSView 3 Server Client Properties Page NOTE: Each DSView 3 server has only one kerberos.keytab; there is only one service principal associated with the DSView 3 server. In case of a Hub - Spoke configuration, you need to repeat all steps for each server. To configure a client browser in Internet Explorer: NOTE: You need Internet Explorer 6 or 7 to configure a client browser. 1. In Internet Explorer, go to Tools-Internet Options. In the Advanced tab, select Security-Enable Integrated Windows Authentication.
Configuring DSView 3 Management Software to Enable Single Sign-On with SPNEGO and Kerberos 5 Figure 5: Internet Options Screen 2. Go to Security-Local Intranet-Custom Level. Under the User Authentication-Logon heading, make sure the radio button next to Automatic logon only in Intranet zone is selected. Click OK.
6 Technical Bulletin Figure 6: Security Settings Screen 3. Click Sites for the at local intranet zone. 4. Click Advanced and add the DSView 3 server name to the list of Web sites, using the following format: https://<dsview_computer_name> 5. Click OK.
Configuring DSView 3 Management Software to Enable Single Sign-On with SPNEGO and Kerberos 7 Figure 7: Local Intranet Screen NOTE: The computer name should not contain any periods. Otherwise, the DSView 3 software will identify the address as an Internet address and will not use SSO. 6. Go to the Connections tab and click Lan Settings. If there is a proxy configured, select the Bypass proxy server for local addresses option. 7. Restart the browser. To configure a client browser in Firefox: NOTE: You need Firefox 2 or 3 to configure a client browser. 1. Type about.config in the URL field. A list of key-value pairs will appear. 2. Type network.negotiate in the Filter field. 3. Add the DSView 3 server computer name URL to the network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris keys. 4. Close the page.
8 Technical Bulletin Figure 8: about.config Screen Kerberos tools Kerbtray.exe This application comes with Microsoft Windows 2000 or 2003 Resource Kit Tool. Go to www.microsoft.com/downloads to download the application. Kerbtray allows a user to list and flush the Kerberos tickets loaded in the Windows OS. To configure kerbtray.exe: 1. Download the Windows Resource Kit Tool from the Microsoft Web site and install the resource kit. 2. Go to C:\Program Files\Windows Resource Kits\Tools and execute kerbtray.exe. This will load the monitor as an icon in the Windows taskbar notification area. 3. Double click the Kerbtray icon in the Windows taskbar notification area to list the tickets. You can select the ticket to see the principal name, time flags or encryption type.
Configuring DSView 3 Management Software to Enable Single Sign-On with SPNEGO and Kerberos 9 Figure 9: Kerberos Tickets Screen 4. Right-click on the Kerbtray icon in the Windows taskbar notification area and select Purge Tickets to purge the tickets from the computer. NOTE: If you have purged the tickets, you will need to close and re-open the Kerbtray window to see any changes. kinit This application comes with the Java distribution and allows you to retrieve tickets from the KDC and store tickets in a cache file. You can use kinit to test if the Service Principal Name has been created in the KDC and to test if a keytab file presents any problems. Krb5 configuration file The kinit application requires a Kerberos configuration file to work. The configuration file stores information about the realm and the KDC server. To create a Krb5 configuration file: 1. In the computer where the kinit utility will be executed, go to the following directory: For Windows: c:/windows
10 Technical Bulletin For Unix: /etc/krb5 -or- For Linux: /etc 2. Create a new file with the following name depending on the operating system: For Windows: kbr5.ini -or- -or- For Unix/Linux: krb5.conf 3. Open the file you created and copy the following template to it: Where: [libdefaults] default_realm = <SERVICE_PRINCIPAL_REALM> forwardable = true udp_preference_limit = 1 default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac [realms] <SERVICE_PRINCIPAL_REALM> = { kdc = <kdc_ip_address> <SERVICE_PRINCIPAL_REALM> is the login DOMAIN used when you configured the Active Directory Server. It must be in uppercase letters. <kdc_ip_address> is the KDC IP address. In most cases, this address will be the same as the Active Directory Server IP address. For IPV6, it uses the server DNS name. 4. Click Save. To validate the SPN with kinit: Once the DSView 3 server has the krb5.ini file configured, you can test the validity of the SPN. 1. Open a command console window. 2. Go to the <%DSView installation%/j2sdk/bin> directory. 3. Type the following command: Where: kinit <service_principal_name> <service_principal_name> is the FQDN.
Configuring DSView 3 Management Software to Enable Single Sign-On with SPNEGO and Kerberos 11 Example: kinit HTTP/sun-ipv6-vista.testlab.avocent.com@TESTLAB.AVOCENT.COM 4. Kinit will request a password. Type the password you created when you configured the Active Directory Server and press Enter. Kinit will show the message: New ticket is stored in cache file if the SPN and configuration are correct. To validate the keytab file with kinit: 1. Open a command console window. 2. Go to the <%DSView installation%/j2sdk/bin> directory. 3. Type the following command: Where: kinit -k -t <keytab_file_name> <service_principal_name> <keytab_file_name> is the name of the keytab file. <service_principal_name> is the FQDN name. Example: kinit -k -t C:\Program Files\Avocent DSView 3\bin\kerberos.keytab HTTP/sun-ipv6-vista.testlab.avocent.com@TESTLAB.AVOCENT.COM If the SPN and configuraiton are correct, Kinit will show the following message: New ticket is stored in cache file klist This application comes with the Java distribution and allows you to list Kerberos tickets from the command line. To execute the klist command: 1. Open a command console window. 2. Go to the <%DSView installation%/j2sdk/bin> directory. 3. Type the following command to show all the Kerberos tickets for the logged-in user: klist -tickets 4. Type the following command to get current TGT (Ticket-granting ticket) information: klist -tgt
12 Technical Bulletin Appendix A: Troubleshooting Fix for Windows Server 2003 In Windows 2003 you need Service pack 2 or later. The ktpass command doesn't work in earlier versions. See http://support.microsoft.com/kb/919557 for more information. Fix for Windows Server 2008 You need to get the hot fix 227849 from the Microsoft Web site because of existing problems searching the SPN in Active Directory. See http://support.microsoft.com/kb/951191 for more information. Kinit returns error message: Client not found in Kerberos database(6) If kinit returns an error message (6), it means that the Service Principal name is not found in the Kerberos database. To fix the issue, check the following: Check that the SPN you created matches the SPN in the kinit command. Note that the SPN is case sensitive. It is recommended that the SPN HTTP service is defined in uppercase letters, that the computer DNS in defined in lowercase letters and the KDC realm is defined in uppercase letters. Make sure that the user account name you created matches the SPN. Once you run the ktpass command, the Windows account name is changed from the computer name to the SPN. You can check this by browsing the Active Directory user account properties. Check that there is no other SPN defined in the Kerberos database with the same name as the one you created. You can do this by running the following command: ldifde -f < output_txt_file> -l serviceprincipalname -r "(serviceprincipalname=http/*)" -p subtree Where: < output_txt_file> is the file name where the command ldifde will store the result. Check the output file to look for duplicate SPNs. In windows 2008 you can run the command setspn. setspn -x This command only returns duplicate SPNs. If duplicate SPNs are found, delete the user account with duplicate SPNs in Active Directory and create a new user account. Kinit returns error message Pre-authentication information was invalid (24) If kinit returns an error message (24), the password stored in the keytab file does not match the user account password. Make sure the password entered for the user created in Active Directory is the same as the password passed as a parameter of the ktpass command.
Configuring DSView 3 Management Software to Enable Single Sign-On with SPNEGO and Kerberos 13 Kerbtray doesn't show any ticket for my SPN in the client If SSO fails, check if the Kerbtray utility in the computer running your browser has any tickets with your Service Principal Name. If there is no ticket, do the following: Check that the DNS name matches the DSView 3 server name. Check that the client is getting the correct DSView 3 server name from the DNS by using the nslookup command: nslookup <DSView_server_FQDN> Make sure that an entry does not exist for the DSView 3 server in the c:/windows/system/ drivers/etc/host file. This will prevent the client from getting the correct DSview 3 software DNS name from the network. Make sure that the client and the Active Directory server have the same computer time. You can configure the computers to synchronize their time with an external Time Server. See http:/ /support.microsoft.com/kb/816042 for more information. The computer client got the ticket but SSO fails If the computer client has a Kerberos ticket but accessing DSView 3 software with SSO fails, do the following: Make sure that the kerberos.keytab file in the computer running DSView 3 software is correct. If you change the SPN or the account password, you need to create a new keytab file and transfer this new file to the computer running DSView 3 software. Make sure that the client and the Active Directory server have the same computer time. You can configure the computers to synchronize their time with an external Time Server. See http:/ /support.microsoft.com/kb/816042 for more information. Check that the client is getting the correct DSView 3 server name from the DNS by using the nslookup command like: nslookup <DSView_server_FQDN>
For Technical Support: www.avocent.com/support