In this post we'll take a look at configuring Kerberos for authentication for with Remedy Single Sign-On & troubleshooting any errors we may come across along the way.
Versions used in this blog
RSSO 18.02 build 9 (load balanced rsso.bmc.com)
Active Directory Windows 2012
Remedy Midtier 9.1.0 (load balanced remedy.bmc.com)
The servers are in a domain called bmc.com, the users in Active Directory will be in a different domain called diffdom.com
Why are we configuring users in a different domain to the servers?
There has been a few support calls raised with BMC support with this type of configuration, so we'll run through this as the configuration in this post. If the users and servers are in the same domain, it will be configured in exactly the same way.
Creating the Service Principle Name for RSSO on the KDC
There are a few ways to creating service principles on the KDC to use with RSSO. But the format of the creation will ultimately be the same. To start with we need to create a user in Active Directory. We can either create a standard user or a managed service account, either one will be valid, in this post we'll cover creating a user in the normal manner and map a service to it. This procedure a function of the domain administrators and should be sent to them to action.
In our case we'll be creating a user account called "MYRSSOPRINCIPLE" as a standard user in active directory. We'll set the password options "User Cannot Change Password" and "Password Never Expires" The password expiry will be dictated by domain policies (fig1)
The default group of "Domain Users" will be added to this user (fig2). Since the user will never actually physically log in to any machines this can be removed, but you will need to have another group created (perhaps with no login control) since all users require a primary group. In this instance we will leave it as a member of "Domain Users". Normally no other permissions are needed. You may need to add some other permissions for this user depending how the AD & KDC are configured, we'll cover this at a later on in the troubleshooting section.
The next step is to create the HTTP service class and map it to our user.
The HTTP service class
The HTTP service class differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class. The service class is the string that identifies the general class of service. Well-known service class names include "www" for a Web service and "ldap" for a directory service. Generally, the service class name can be any string that is unique to the service class. Be aware that the SPN syntax uses a forward slash character to separate elements. Therefore, the forward slash character cannot appear in a service class name.
To map the service (which in this case will be used by our RSSO server) we'll need to run the "setspn" command from the KDC server command line, with the following format
setspn -S HTTP/severFQDN USER
-S : add arbitrary SPN after verifying no duplicates exist
HTTP/ : Service Class
ServerFQDN : The computer that is going to be using this service or the LB FQDN
USER : The user that we want to map the service to
So in our example we will run the following setspn command
setspn -S HTTP/rssolb.bmc.com MYRSSOPRINCIPLE (fig3) So this command is saying map the HTTP service class, for use by rssolb.bmc.com to my user called MYRSSOPRINCIPLE, but before doing this check that there is no other service called rssolb.bmc.com mapped to any other user. If running in an LB environment as in our case, there is no need to also map the individual server names since everything will be going through the load balancer, but in some instances depending how the the KDC is configured you may need to do this, we'll cover what log messages to look at when this is needed in the troubleshooting steps below. If you do need to do this then add the invidividual severs in the same way as before by running the setspn -S command, doing this won't cause any issues even if you don't need it. Run the following command to add the individual servers
setspn -S HTTP/rssoserver1.bmc.com MYRSSOPRINCIPLE
setspn -S HTTP/rssoserver2.bmc.com MYRSSOPRINCIPLE
So now we will have three services mapped to our user called MYRSSOPRINCIPLE
Running the setspn command in this case has thrown a "duplicate SPN found, aborting operation!" message Fig(3) . This often occurs especially when a Managed Service Account has already been created and the service mapped
We can see above that we can't map our service to our user MYRSSOPRINCIPLE because this service is has already been mapped/registered with another user called "RSSOPRINCIPLE"
as we want to use the user "MYRSSOPRINCIPLE" we will need to delete/unregister the service to the user, to do this we'll need to run setspn with the -D parameter (fig4). Sometimes you will see that there are multiple users that this services is registered to, this should not happen but it does and will need to be deleted.
setspn -D HTTP/rssolb.bmc.com RSSOPRINCIPLE
Once the delete command has been run, we can continue to map the service with our use again and should not get the duplicate SPN message (fig5)
setspn -S HTTP/rssolb.bmc.com MYRSSOPRINCIPLE For completeness we've also added the individual server names (rssosever1.bmc.com & rssoserver2.bmc.com)
You can view the registered service by using setspn with the -L parameter (fig6)
Now we have our SPN created and services mapped. Normally this is enough and you would then continue to configure on the RSSO admin console. On the RSSO admin console there are two options to have RSSO connect to the KDC with the service principle user. One method is password, if the KDC allows SPN accounts to connect with a username and password then we are pretty much done. The second option on the RSSO admin console is to use a keytab file. A keytab file is generally for SSO when the KDC denies direct login with username and password. The keytab is a file containing pairs of Kerberos principals and encrypted keys. You will still need to run create the user and run the setspn command above before creating the keytab file.
Createing A Keytab File
This is an domain administrator function and these instructions should be action by the domain administrator, along with the create user and setpn commands above.
Open a command prompt and run the following command to create the keytab file
ktpass -out <outfile> -mapuser <PRINCIPLEUSER> -princ <servicename> -pass PasswordOfMappedUser -ptype KRB5_NT_PRINCIPAL -crypto <cryptography type>
-out theoutput : file, the path and filename of the keytab file you want created
-mapuser : The username you want to map the service to
-princ : The service class name
-password: password of the mapped user
-ptype: Specifies the principal type.Type include
KRB5_NT_PRINCIPAL is the general principal type (recommended).
KRB5_NT_SRV_INST is the user service instance.
KRB5_NT_SRV_HST is the host service instance.
-crypto: cryptography type to be used. Includes
DES-CBC-CRC is used for compatibility.
DES-CBC-MD5 adheres more closely to the MIT implementation and is used for compatibility.
RC4-HMAC-NT employs 128-bit encryption.
AES256-SHA1 employs AES256-CTS-HMAC-SHA1-96 encryption.
AES128-SHA1 employs AES128-CTS-HMAC-SHA1-96 encryption.
All states that all supported cryptographic types can be used. Note: The default settings are based on older MIT versions. Therefore, /crypto should always be specified.
In our case we are going to run the following ktpass command
ktpass -out c:\rssokeytab -mapuser MYRSSOPRINCIPLE -princ HTTPfirstname.lastname@example.org -pass Secret&c0mplex -ptype KRB5_NT_PRINCIPAL -crypto all
The command will do the following: map MYRSSOPRINCIPLE user to a service called HTTP/rssolb.bmc.com served by domain diff.com with a principle type of KRB5_NT_PRINCIPLE with all available cryptography and create the keytab file called c:\rssokeytab (fig7)
Some issues that might occur when running the keytab command is using complex passwords with the username, the solution try a simpler password. When pasting the command from
a text editor some unseen characters might be pasted, this will make the keytab command fail, the solution is to type it directly into the the command prompt.
Once the keytab command is run successfully, two things will happen 1. The keytab file will be created in the path and name specified (fig8).
2. When viewing the user properties account details you will see instead of the userID the service name (fig9) take a note of the User Logon name and and the @ domain portion you will need this later on in RSSO configuration (in the same format)
The next step is to configure RSSO. If you created a keytab file copy it to the rsso sever if in an LB environment copy it to all RSSO servers.
Configuring Kerberos on the RSSO Admin Console
On the RSSO admin console, go to realm --->Add Realm and select Kerberos from the dropdown list and fill in the information.
KDC Server: The KDC server name where procedures above was carried out on. If in a KDC farm, first use the actual KDC server name. Do the test of successful try with the KDC farn name
Sometimes it takes a while for all KDC's to sync
Service Principle Name: Either the user name created for RSSO SPN or the service name if using keytab file
Kerberos Realm: The domain the KDC is on, if using password you will need to fill this in, if using keytab file it will be filled in automatically
SPN Password: If not using keytab file enter the password of SPN user created. If using keytab file this option is greyed out
UserID format: The format the username will be in when RSSO send the token and userID to the calling application for example in AR server the user can exists as JCKERDIFF and not DIFFDOM/JCKERDIFF
User ID transformation: If the KDC/AD send the username to RSSO in a particular format, use this option to change the user format to work with the calling application
After filling in the information click the "Test" button if successful you will see a "Kerberos Connection Successful" message, if it fails review the troubleshooting portion below.
Configuring with password (fig10)
Configuring with Keytab file (fig11)
After the successful test, save the configuration.
Testing Kerberos Login
You will to make sure web browsers are configured to use kerberos. Generally this is done by group policies and is not changable, but if you are testing you should be able to change the web browser configuration.
Configuring Internet Explorer
Navigate to Tools > Internet Options > Advanced.
On the Advanced tab and in the Security section, select Enable Integrated Windows Authentication (requires restart).
On the Security tab, select Local Intranet.
Click Custom Level.
In the User Authentication/Logon section, select Automatic logon only in Intranet zone.
Click Sites and select all check boxes.
Click Advanced and add the Remedy SSO service website to the local zone (the website might be already added). For example, sample.bmc.com.
Click OK for all pop-ups.
Configuring Mozilla Firefox
Enter the following URL: about:config.
Click I'll be careful, I promise!
Double-click the Preference Name: network.negotiate-auth.trusted-uris.
Add the Fully Qualified Domain Name (FQDN) of the host, for example, sample.bmc.com.
Double-click the Preference Name: network.automatic-ntlm-auth.trusted-uris.
Add the fully qualified domain name (FQDN) of the host, for example, sample.bmc.com.
Configuring Chrome: Chrome will piggy back the setting from internet explorer, so configure IE on the PC.
When the browser configuration is done, test the login.
There a a few things that can error out when configuring kerberos for Authentication. The troubleshoot these review the following docs url Troubleshooting authentication issues We'll cover some further troubleshooting in this post, this troubleshooting section will be updated as and when new issues are found.
When pressing the Testing Tab On the RSSO console we get a failure to connect to the KDC
The first place to look at when this issue occurs is the RSSO server logs. Set the RSSO server to "Debug" mode got to General--->Basic setting and set "Server Log Level" to "DEBUG" wait for about 15 seconds, reproduce the problem. Then take a look at the RSSO server log on the RSSO server in tomcat/logs/rsso.0.log
In each of these section, we'll take a look at what a good log should look like first we can use that as a baseline to compare with a log that shows errors.
Pressing the "TEST" button on the RSSO admin console and getting a "Connect to KDC Successful" message
28 Feb 2018 23:41:51.454 INFO Thread_41 com.bmc.rsso.core.kerberos.KerberosHelper.testServiceLogin(): Checking Kerberos service login ...
28 Feb 2018 23:41:51.454 INFO Thread_41 com.bmc.rsso.core.kerberos.KerberosHelper.getSubject(): Getting Kerberos subject ...
28 Feb 2018 23:41:51.459 INFO Thread_41 com.bmc.rsso.core.kerberos.KerberosHelper.getSubject(): Starting login context, KDC:clm-aus-021891.diffdom.com, realm:DIFFDOM.COM, user:MYRSSOPRINCIPLE, initiator:true
28 Feb 2018 23:41:52.140 DEBUG Thread_41 com.bmc.rsso.core.kerberos.KerberosHelper.logSubject(): Kerberos subject obtained: Subject:
Private Credential: Ticket (hex) =
0000: 61 82 04 48 30 82 04 44 A0 03 02 01 05 A1 0D 1B a..H0..D........
The above log shows successful connection to the KDC server from RSSO using the SPN user (MYRSSOPRINCIPLE) and shows the HEX value of the ticket the principle gets from the KDC
28 Feb 2018 23:45:34.330 INFO Thread_43 com.bmc.rsso.core.kerberos.KerberosHelper.getSubject(): Starting login context, KDC:clm-aus-021891.diffdom.com, realm:DIFFDOM.COM, user:MYRSSOPRINCIPLE, initiator:true
28 Feb 2018 23:45:34.330 INFO Thread_43 com.bmc.rsso.core.kerberos.KerberosHelper.getSubject(): Login using password
28 Feb 2018 23:45:34.360 SEVERE Thread_43 com.bmc.rsso.core.kerberos.KerberosHelper.testServiceLogin(): Could not obtain Kerberos subject
Details: Pre-authentication information was invalid (24)
The above shows a failed connection to the KDC in this instance the SPN password has been changed but not updated on the RSSO admin console The RSSO admin console will give you a message also saying this "Invalid SPN password. Check if SPN account password has been changed". However you might also see the message when
1. The SPN user is found on the KDC and the password is correct, but the KDC does not allow the connection
2. When specific user permissions are needed for the SPN user to connect to the KDC
In which case the above two point will need to be checked on the KDC side. You will need to speak to the doman admin to take a look at the windows event logs for kerberos messages.
By default kerberos related messages are not logged in windows event viewer it will need to specifically be enabled. This will need a registry change
Enabling Kerberos Event Logging on a Specific Computer
- Start Registry Editor.
- Add the following registry value:
Registry Value: LogLevel
Value Type: REG_DWORD
Value Data: 0x1
If the Parameters subkey does not exist, create it.
Note Remove this registry value when it is no longer needed so that performance is not degraded on the computer. Also, you can remove this registry value to disable Kerberos event logging on a specific computer.
- Quit Registry Editor. The setting will become effective immediately on Windows Server 2003 and newer, and on Windows XP and newer. For Windows 2000, you must restart the computer.
- You can find any Kerberos-related events in the System & Security log.
Don't forget to remove this registry entry when done troubleshooting. See How to enable Kerberos event logging
When trying to run the KTpass command we get a message "KTPASS Getting error "Failed to retrieve user info for <UserName>: 0x5"
This is a KDC configuration issue. Running the following on the KDC powershell resolves this issue "add-kdsrootkey -EffectiveTime (Get-Date).AddHours(-10)" see Add-KdsRootKey
When logging into an application i.e. Midtier, MyIT ADDM we get a pop-up prompting for username and password. This is either due to either the browser not configured correctly (see above) or the domain you are login in from is not the same domain as the users domain, or an issue with the application or the agent on the application. If the userID is seen in the RSSO user sessions list, this generally means the kerberos Authentication has been done, the next troubleshooting steps should be done on the application side. Check the application log and the rssoagent log found in tomcat/logs directory.
The tomcatX-stdout.<date>.log file on the RSSO server also provides useful information when troubleshooting kerberos, include this file in the troubleshooting log review. Messages like the below are logged in this file.
>>> KdcAccessibility: remove clm-aus-021891.diffdom.com
>>> KDCRep: init() encoding tag is 126 req type is 11
sTime is Thu Mar 01 00:00:36 GMT 2018 1519862436000
suSec is 121556
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/DIFFDOM.COM@DIFFDOM.COM
msgType is 30
We can see the SPN ticket in the rssoserver log, but users are not able to login. Use the klist command from the command prompt and see if a user can request a ticket directly from the KDC outside of RSSO see Klist