6 Replies Latest reply: Aug 15, 2012 6:56 AM by Jim Wilson RSS

    Implemention of Domain Authentication with BBSA 8.0?

    Samsung BSM

      Hi,

       

      During implement Domain Authentication with BBSA 8.0 what are all steps required?

       

      I hv followed following steps from page 154 which are mentioned in BMCBladeLogicAdministration.pdf but no success.

      Is there any steps im missing or wrong? plz suggest me.

       

      My system details:

      Win2k3 sp2 with support tools, SQL server database, BBSA 8.0 (all r on same machine)

      Hostname: Win2k3-SQL /

       

      Domain: APPSERVER.COM / IP: 192.168.111.133

       

      1. Locating Active Directory KDCs: nslookup -type=srv _kerberos._tcp.REALM

      Used: nslookup -type=srv _kerberos._tcp.APPSERVER.COM

      Executed successfully

      Output: svr hostname = win2k3-sql.appserver.com

      ip = 192.168.111.133

       

      2. Created the blappserv_krb5.conf file and saved the file to C:\Program Files\BMC Software\BladeLogic\version\NSH\br\

      directory with the name: blappserv_krb5.conf

      Used:

      [libdefaults]

      ticket_lifetime = 6000

      default_realm = APPSERVER.COM

      [realms]

      APPSERVER.COM = {

      kdc = win2k3-SQL.APPSERVER.COM:88

      }

      [domain_realm]

      .appserver.com = APPSERVER.COM

       

      3. Created the blappserv_login.conf file and saved to C:\Program Files\BMC Software\BladeLogic\version\NSH\br\ directory with the name: blappserv_login.conf

       

      com.bladelogic.auth.service.ADKerberosPasswordLogin {
      com.sun.security.auth.module.Krb5LoginModule required
      doNotPrompt=false
      useTicketCache=false
      debug=false;
      };

       

      4. Defined Authentication Service settings for Domain

      Authentication

      Used:

      i. set AuthServer isDomainAuthEnabled true

      ii. set AuthServer AuthSvcKrb5Config "C:\Program Files\BMC Software\BladeLogic\version\NSH\br\blappserv_krb5.conf"

      iii.set AuthServer AuthSvcKrb5LoginConfig "C:\Program Files\BMC Software\BladeLogic\version\NSH\br\blappserv_krb5.confblappserv_login.conf"

      iv. Restarted the Application Server.

       

      5. Cross-registering users created in the BMC BladeLogic database

      Used:

      test1@appsetest1@appsetest1@appserver.com

      Same user also created in AD.

       

      6. Created one authentication profile with Domain authentication.

      But no luck...

       

      regards,

      samsung

        • 1. Implemention of Domain Authentication with BBSA 8.0?
          Joshua Skirde

          Have you created a user in the directory using ktpass, used setspn to set the service principal name and then exported the keytab file? Refer to the documentation here:  "https://docs.bmc.com/docs/display/public/bsa82/Registering+an+Authentication+Service+in+an+Active+Directory+domain

           

          What do you see on the client side?

          What error do you get in appserver.log?

          Also check the client log (under %APPDATA%\bladelogic on Windows or ~/.bladelogic on Linux)?

           

          Kind regards,

          Joshua

          • 2. Implemention of Domain Authentication with BBSA 8.0?
            Samsung BSM

            thnx for quick help Joshua,

             

            But can u let me know is this required for implementing Domain authentication or AD/kerberos configurion authentication?

            right now im using two tests parallely:

            1 for Domain authentication

            2 for AD

             

            So for Domain auth i didnt create any user using ktpass.

            but for AD auth i did and following admin guide page 162-185 bbsa 8.0

             

            But currently getting the problem while verifying keytab in page 175

            Maybe some hints what I did:

            created AD user "blauthsvc"

            copied keytab to br directory on appserver

            created blappserv_krb5.conf and blappserv_login.conf (below)

            nslookup -type=srv _kerberos._tcp.APPSERVER.COM - worked fine

            (svr hostname = win2k3-sql.appserver.com)

            checking if ticket is generated by kinit - getting problem here

            Exception: krb_error 0 Cannot get kdc for realm COMPANY.COM No error

            KrbException: Cannot get kdc for realm COMPANY.COM

                 at sun.security.krb5.KrbKdcReq.send(Unknown Source)

                 at sun.security.krb5.KrbKdcReq.send(Unknown Source)

                 at sun.security.krb5.internal.tools.Kinit.sendASRequest(Unknown Source)

                 at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)

                 at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)

             

            blappserv_krb5.conf

            [libdefaults]

            ticket_lifetime = 6000

            default_realm = APPSERVER.COM

            [realms]

            APPSERVER.COM = {

            kdc = win2k3-sql.appserver.com:88

            }

            [domain_realm]

            .appserver.com = APPSERVER.COM

            blappserv_login.conf

            com.sun.security.jgss.accept {

            com.sun.security.auth.module.Krb5LoginModule required

            useKeyTab=true

                 keyTab="C:\\BMC\\BladeLogic\\8.0\\NSH\\br\\blauthsvc.keytab"

            storeKey=true

                 principal=blauthsvc/Win2k3-SQL@APPSERVER.COM

            doNotPrompt=true

            debug=false;

            };

             

            Thanks for help!

            regards,

            samsung

             

            • 3. Implemention of Domain Authentication with BBSA 8.0?
              Bill Robinson

              is kdc = win2k3-sql.appserver.com:88 the appserver or your KDC ?  that line needs to be the kdc returned from the nslookup command.  since you also used that hostname in the spn i'm wondering if that is your appserver or the kdc for the appserver.com realm ?

              • 4. Implemention of Domain Authentication with BBSA 8.0?
                Samsung BSM

                thnx Bill for ur gr8 response.

                 

                The appserver (BBSA 8.0) & AD is on same machine.

                Instead of installing AD on another machine, i installed AD on same machine where appserver is installed.

                This is just for testing purpose. If in this scenario it doesn't happen then i can do separate.

                 

                Hostname=Win2k3-SQL

                Domain=APPSERVER.COM

                 

                1. while creating blauthsvc.keytab i used following command and it created the keytab:

                Used:

                ktpass -out blauthsvc.keytab -princ blauthsvc/Win2k3-SQL@ APPSERVER.COM -mapuser blauthsvc@ APPSERVER.COM +rndPass -minPass 33

                Output:

                Targeting domain controller: Win2k3-SQL.appserver.com

                Using legacy password setting method

                Succcessfully mapped blauthsvc/Win2k3-SQL to blauthsvc.

                WARNING: pType and account type do not match. This might cause problems.

                Key created.

                Output keytab to blauthsvc.keytab:

                Keytab version: 0x502

                keysize 69 blauthsvc/Win2k3-SQL@ APPSERVER.COM ptype 0 (KRB5_NT_UNKNOWN) vno 6 etype 0x17 (RC4-HMAC) keylength 16 (0x7f09f22f97c043c9f5772e2faffb9c04)

                 

                2. When i execute nslookup command it returns:

                Used:

                nslookup -type=srv _kerberos._tcp.APPSERVER.COM

                Output:

                *** Default servers are not available

                Server: UnKnown

                Address: 127.0.0.1

                _kerberos._tcp.APPSERVER.COM SRV service location:

                     priority     = 0

                     weight     = 100

                     port     = 88

                     svr hostname = win2k3-sql.appserver.com

                win2k3-sql.appserver.com     internet address=192.168.111.133

                • 5. Implemention of Domain Authentication with BBSA 8.0?
                  Bill Robinson

                  in the error you posted it said:

                  Exception: krb_error 0 Cannot get kdc for realm COMPANY.COM No error

                   

                  did you mean 'APPSERVER.COM' ?

                   

                  if you do a nslookup on the appserver fqdn, does it work? i think your dns client is not configured correctly.

                  • 6. Re: Implemention of Domain Authentication with BBSA 8.0?
                    Jim Wilson

                    Hi Samsung,

                     

                    Please confirm the resolution of this thread.

                     

                    Thanks & Regards,

                    Jim (Forum Admin)