6 Replies Latest reply: Aug 15, 2012 6:56 AM by Jim Wilson RSS

Implemention of Domain Authentication with BBSA 8.0?

Samsung BSM

Hi,

 

During implement Domain Authentication with BBSA 8.0 what are all steps required?

 

I hv followed following steps from page 154 which are mentioned in BMCBladeLogicAdministration.pdf but no success.

Is there any steps im missing or wrong? plz suggest me.

 

My system details:

Win2k3 sp2 with support tools, SQL server database, BBSA 8.0 (all r on same machine)

Hostname: Win2k3-SQL /

 

Domain: APPSERVER.COM / IP: 192.168.111.133

 

1. Locating Active Directory KDCs: nslookup -type=srv _kerberos._tcp.REALM

Used: nslookup -type=srv _kerberos._tcp.APPSERVER.COM

Executed successfully

Output: svr hostname = win2k3-sql.appserver.com

ip = 192.168.111.133

 

2. Created the blappserv_krb5.conf file and saved the file to C:\Program Files\BMC Software\BladeLogic\version\NSH\br\

directory with the name: blappserv_krb5.conf

Used:

[libdefaults]

ticket_lifetime = 6000

default_realm = APPSERVER.COM

[realms]

APPSERVER.COM = {

kdc = win2k3-SQL.APPSERVER.COM:88

}

[domain_realm]

.appserver.com = APPSERVER.COM

 

3. Created the blappserv_login.conf file and saved to C:\Program Files\BMC Software\BladeLogic\version\NSH\br\ directory with the name: blappserv_login.conf

 

com.bladelogic.auth.service.ADKerberosPasswordLogin {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=false
useTicketCache=false
debug=false;
};

 

4. Defined Authentication Service settings for Domain

Authentication

Used:

i. set AuthServer isDomainAuthEnabled true

ii. set AuthServer AuthSvcKrb5Config "C:\Program Files\BMC Software\BladeLogic\version\NSH\br\blappserv_krb5.conf"

iii.set AuthServer AuthSvcKrb5LoginConfig "C:\Program Files\BMC Software\BladeLogic\version\NSH\br\blappserv_krb5.confblappserv_login.conf"

iv. Restarted the Application Server.

 

5. Cross-registering users created in the BMC BladeLogic database

Used:

test1@appsetest1@appsetest1@appserver.com

Same user also created in AD.

 

6. Created one authentication profile with Domain authentication.

But no luck...

 

regards,

samsung

  • 1. Implemention of Domain Authentication with BBSA 8.0?
    Joshua Skirde

    Have you created a user in the directory using ktpass, used setspn to set the service principal name and then exported the keytab file? Refer to the documentation here:  "https://docs.bmc.com/docs/display/public/bsa82/Registering+an+Authentication+Service+in+an+Active+Directory+domain

     

    What do you see on the client side?

    What error do you get in appserver.log?

    Also check the client log (under %APPDATA%\bladelogic on Windows or ~/.bladelogic on Linux)?

     

    Kind regards,

    Joshua

  • 2. Implemention of Domain Authentication with BBSA 8.0?
    Samsung BSM

    thnx for quick help Joshua,

     

    But can u let me know is this required for implementing Domain authentication or AD/kerberos configurion authentication?

    right now im using two tests parallely:

    1 for Domain authentication

    2 for AD

     

    So for Domain auth i didnt create any user using ktpass.

    but for AD auth i did and following admin guide page 162-185 bbsa 8.0

     

    But currently getting the problem while verifying keytab in page 175

    Maybe some hints what I did:

    created AD user "blauthsvc"

    copied keytab to br directory on appserver

    created blappserv_krb5.conf and blappserv_login.conf (below)

    nslookup -type=srv _kerberos._tcp.APPSERVER.COM - worked fine

    (svr hostname = win2k3-sql.appserver.com)

    checking if ticket is generated by kinit - getting problem here

    Exception: krb_error 0 Cannot get kdc for realm COMPANY.COM No error

    KrbException: Cannot get kdc for realm COMPANY.COM

         at sun.security.krb5.KrbKdcReq.send(Unknown Source)

         at sun.security.krb5.KrbKdcReq.send(Unknown Source)

         at sun.security.krb5.internal.tools.Kinit.sendASRequest(Unknown Source)

         at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)

         at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)

     

    blappserv_krb5.conf

    [libdefaults]

    ticket_lifetime = 6000

    default_realm = APPSERVER.COM

    [realms]

    APPSERVER.COM = {

    kdc = win2k3-sql.appserver.com:88

    }

    [domain_realm]

    .appserver.com = APPSERVER.COM

    blappserv_login.conf

    com.sun.security.jgss.accept {

    com.sun.security.auth.module.Krb5LoginModule required

    useKeyTab=true

         keyTab="C:\\BMC\\BladeLogic\\8.0\\NSH\\br\\blauthsvc.keytab"

    storeKey=true

         principal=blauthsvc/Win2k3-SQL@APPSERVER.COM

    doNotPrompt=true

    debug=false;

    };

     

    Thanks for help!

    regards,

    samsung

     

  • 3. Implemention of Domain Authentication with BBSA 8.0?
    Bill Robinson

    is kdc = win2k3-sql.appserver.com:88 the appserver or your KDC ?  that line needs to be the kdc returned from the nslookup command.  since you also used that hostname in the spn i'm wondering if that is your appserver or the kdc for the appserver.com realm ?

  • 4. Implemention of Domain Authentication with BBSA 8.0?
    Samsung BSM

    thnx Bill for ur gr8 response.

     

    The appserver (BBSA 8.0) & AD is on same machine.

    Instead of installing AD on another machine, i installed AD on same machine where appserver is installed.

    This is just for testing purpose. If in this scenario it doesn't happen then i can do separate.

     

    Hostname=Win2k3-SQL

    Domain=APPSERVER.COM

     

    1. while creating blauthsvc.keytab i used following command and it created the keytab:

    Used:

    ktpass -out blauthsvc.keytab -princ blauthsvc/Win2k3-SQL@ APPSERVER.COM -mapuser blauthsvc@ APPSERVER.COM +rndPass -minPass 33

    Output:

    Targeting domain controller: Win2k3-SQL.appserver.com

    Using legacy password setting method

    Succcessfully mapped blauthsvc/Win2k3-SQL to blauthsvc.

    WARNING: pType and account type do not match. This might cause problems.

    Key created.

    Output keytab to blauthsvc.keytab:

    Keytab version: 0x502

    keysize 69 blauthsvc/Win2k3-SQL@ APPSERVER.COM ptype 0 (KRB5_NT_UNKNOWN) vno 6 etype 0x17 (RC4-HMAC) keylength 16 (0x7f09f22f97c043c9f5772e2faffb9c04)

     

    2. When i execute nslookup command it returns:

    Used:

    nslookup -type=srv _kerberos._tcp.APPSERVER.COM

    Output:

    *** Default servers are not available

    Server: UnKnown

    Address: 127.0.0.1

    _kerberos._tcp.APPSERVER.COM SRV service location:

         priority     = 0

         weight     = 100

         port     = 88

         svr hostname = win2k3-sql.appserver.com

    win2k3-sql.appserver.com     internet address=192.168.111.133

  • 5. Implemention of Domain Authentication with BBSA 8.0?
    Bill Robinson

    in the error you posted it said:

    Exception: krb_error 0 Cannot get kdc for realm COMPANY.COM No error

     

    did you mean 'APPSERVER.COM' ?

     

    if you do a nslookup on the appserver fqdn, does it work? i think your dns client is not configured correctly.

  • 6. Re: Implemention of Domain Authentication with BBSA 8.0?
    Jim Wilson

    Hi Samsung,

     

    Please confirm the resolution of this thread.

     

    Thanks & Regards,

    Jim (Forum Admin)