Share:|

In this post we'll take a look at configuring Kerberos for authentication for with Remedy Single Sign-On & troubleshooting any errors we may come across along the way.

 

Versions used in this blog

RSSO 18.02 build 9 (load balanced rsso.bmc.com)

Active Directory Windows 2012

Remedy Midtier 9.1.0 (load balanced remedy.bmc.com)

The servers are in a domain called bmc.com, the users in Active Directory will be in a different domain called diffdom.com

 

Why are we configuring users in a different domain to the servers?

There has been a few support calls raised with BMC support with this type of configuration, so we'll run through this as the configuration in this post. If the users and servers are in the same domain, it will be configured in exactly the same way.

 

Creating the Service Principle Name for RSSO on the KDC

There are a few ways to creating service principles on the KDC to use with RSSO. But the format of the creation will ultimately be the same. To start with we need to create a user in Active Directory. We can either create a standard user or a managed service account, either one will be valid, in this post we'll cover creating a user in the normal manner and map a service to it. This procedure a function of the domain administrators and should be sent to them to action.

 

In our case we'll be creating a user account called "MYRSSOPRINCIPLE" as a standard user in active directory. We'll set the password options "User Cannot Change Password" and "Password Never Expires" The password expiry will be dictated by domain policies (fig1)

 

fig1

 

The default group of "Domain Users" will be added to this user (fig2). Since the user will never actually physically log in to any machines this can be removed, but you will need to have another group created (perhaps with no login control) since all users require a primary group. In this instance we will leave it as a member of "Domain Users". Normally no other permissions are needed. You may need to add some other permissions for this user depending how the AD & KDC are configured, we'll cover this at a later on in the troubleshooting section.

 

Fig2

 

The next step is to create the HTTP service class and map it to our user.

 

The HTTP service class

The HTTP service class differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class. The service class is the string that identifies the general class of service. Well-known service class names include "www" for a Web service and "ldap" for a directory service. Generally, the service class name can be any string that is unique to the service class. Be aware that the SPN syntax uses a forward slash character  to separate elements. Therefore, the forward slash character  cannot appear in a service class name.

 

To map the service (which in this case will be used by our RSSO server) we'll need to run the "setspn" command from the KDC server command line, with the following format

 

setspn -S HTTP/severFQDN USER

 

-S : add arbitrary SPN after verifying no duplicates exist

HTTP/ : Service Class

ServerFQDN : The computer that is going to be using this service or the LB FQDN

USER : The user that we want to map the service to

 

So in our example we will run the following setspn command

 

setspn -S HTTP/rssolb.bmc.com MYRSSOPRINCIPLE  (fig3)  So this command is saying map the HTTP service class, for use by rssolb.bmc.com to my user called MYRSSOPRINCIPLE, but before doing this check that there is no other service called rssolb.bmc.com mapped to any other user. If running in an LB environment as in our case, there is no need to also map the individual server names since everything will be going through the load balancer, but in some instances depending how the the KDC is configured you may need to do this, we'll cover what log messages to look at when this is needed in the troubleshooting steps below. If you do need to do this then add the invidividual severs in the same way as before by running the setspn -S command, doing this won't cause any issues even if you don't need it. Run the following command to add the individual servers

 

setspn -S HTTP/rssoserver1.bmc.com MYRSSOPRINCIPLE

setspn -S HTTP/rssoserver2.bmc.com MYRSSOPRINCIPLE

 

So now we will have three services mapped to our user called MYRSSOPRINCIPLE

 

 

Running the setspn command in this case has thrown a "duplicate SPN found, aborting operation!" message Fig(3)  . This often occurs especially when a Managed Service Account has already been created and the service mapped

 

fig3

We can see above that we can't map our service to our user MYRSSOPRINCIPLE because this service is has already been mapped/registered with another user called "RSSOPRINCIPLE"

as we want to use the user "MYRSSOPRINCIPLE" we will need to delete/unregister the service to the user, to do this we'll need to run setspn with the  -D parameter (fig4). Sometimes you will see that there are multiple users that this services is registered to, this should not happen but it does and will need to be deleted.

 

setspn -D HTTP/rssolb.bmc.com RSSOPRINCIPLE

 

fig4

Once the delete command has been run, we can continue to map the service with our use again and should not get the duplicate SPN message (fig5)

 

setspn -S HTTP/rssolb.bmc.com MYRSSOPRINCIPLE  For completeness we've also added the individual server names (rssosever1.bmc.com & rssoserver2.bmc.com)

 

Fig5

 

You can view the registered service by using setspn with the -L parameter (fig6)

 

Fig6

 

Now we have our SPN created and services mapped. Normally this is enough and you would then continue to configure on the RSSO admin console. On the RSSO admin console there are two options to have RSSO connect to the KDC with the service principle user. One method is password, if the KDC allows SPN accounts to connect with a username and password then we are pretty much done. The second option on the RSSO admin console is to use a keytab file. A keytab file is generally for SSO when the KDC denies direct login with username and password. The keytab is a file containing pairs of Kerberos principals and encrypted keys. You will still need to run create the user and run the setspn command above before creating the keytab file.

 

Createing A Keytab File

This is an domain administrator function and these instructions should be action by the domain administrator, along with the create user and setpn commands above.

 

Open a command prompt and run the following command to create the keytab file

 

 

ktpass -out <outfile> -mapuser <PRINCIPLEUSER>  -princ <servicename> -pass PasswordOfMappedUser -ptype KRB5_NT_PRINCIPAL -crypto <cryptography type>

 

-out theoutput : file, the path and filename of the keytab file you want created

-mapuser :  The username you want to map the service to

-princ : The service class name

-password: password of the mapped user

-ptype:  Specifies the principal type.Type include

              KRB5_NT_PRINCIPAL is the general principal type (recommended).

                   KRB5_NT_SRV_INST is the user service instance.

                   KRB5_NT_SRV_HST is the host service instance.

 

-crypto: cryptography type to be used. Includes

              DES-CBC-CRC is used for compatibility.

               DES-CBC-MD5 adheres more closely to the MIT implementation and is used for compatibility.

               RC4-HMAC-NT employs 128-bit encryption.

               AES256-SHA1 employs AES256-CTS-HMAC-SHA1-96 encryption.

               AES128-SHA1 employs AES128-CTS-HMAC-SHA1-96 encryption.

               All states that all supported cryptographic types can be used. Note: The default settings are based on older MIT versions. Therefore, /crypto should always be specified.

 

In our case we are going to run the following ktpass command

 

ktpass -out c:\rssokeytab -mapuser MYRSSOPRINCIPLE -princ HTTP/rssolb.bmc.com@diffdom.com -pass Secret&c0mplex -ptype KRB5_NT_PRINCIPAL  -crypto all

The command will do the following:  map MYRSSOPRINCIPLE user to a service called HTTP/rssolb.bmc.com served by domain diff.com with a principle type of KRB5_NT_PRINCIPLE with all available cryptography and create the keytab file called c:\rssokeytab  (fig7)

 

fig7

 

Some issues that might occur when running the keytab command is using complex passwords with the username, the solution try a simpler password. When pasting the command from

a text editor some unseen characters might be pasted, this will make the keytab command fail, the solution is to type it directly into the the command prompt.

 

Once the keytab command is run successfully, two things will happen 1. The keytab file will be created in the path and name specified (fig8).

 

fig8

2. When viewing the user properties account details you will see instead of the userID the service name (fig9) take a note of the User Logon name and and the @ domain portion you will need this later on in RSSO configuration (in the same format)

 

fig9

 

The next step is to configure RSSO. If you created a keytab file copy it to the rsso sever if in an LB environment copy it to all RSSO servers.

 

Configuring Kerberos on the RSSO Admin Console

 

On the RSSO admin console, go to realm --->Add Realm and select Kerberos from the dropdown list and fill in the information.

 

KDC Server: The KDC server name where procedures above was carried out on. If in a KDC farm, first use the actual KDC server name. Do the test of successful try with the KDC farn name

                      Sometimes it takes a while for all KDC's to sync

Service Principle Name: Either the user name created for RSSO SPN or the service name if using keytab file

Kerberos Realm: The domain the KDC is on, if using password you will need to fill this in, if using keytab file it will be filled in automatically

SPN Password: If not using keytab file enter the password of SPN user created. If using keytab file this option is greyed out

UserID format: The format the username will be in when RSSO send the token and userID to the calling application for example in AR server the user can exists as JCKERDIFF and not                                    DIFFDOM/JCKERDIFF

 

User ID transformation: If the KDC/AD send the username to RSSO in a particular format, use this option to change the user format to work with the calling application

 

After filling in the information click the "Test" button if successful you will see a "Kerberos Connection Successful" message, if it fails review the troubleshooting portion below.

 

Configuring with password (fig10)

 

 

Configuring with Keytab file (fig11)

After the successful test, save the configuration.

 

Testing Kerberos Login

You will to make sure web browsers are configured to use kerberos. Generally this is done by group policies and is not changable, but if you are testing you should be able to change the web browser configuration.

 

Configuring Internet Explorer

Navigate to Tools > Internet Options > Advanced.

On the Advanced tab and in the Security section, select Enable Integrated Windows Authentication (requires restart).

On the Security tab, select Local Intranet.

Click Custom Level.

In the User Authentication/Logon section, select Automatic logon only in Intranet zone.

Click OK.

Click Sites and select all check boxes.

Click Advanced and add the Remedy SSO service website to the local zone (the website might be already added). For example, sample.bmc.com.

Click Add.

Click OK for all pop-ups.

 

Configuring Mozilla Firefox

Enter the following URL: about:config.

Click I'll be careful, I promise!

Double-click the Preference Name: network.negotiate-auth.trusted-uris.

Add the Fully Qualified Domain Name (FQDN) of the host, for example, sample.bmc.com.

Double-click the Preference Name:  network.automatic-ntlm-auth.trusted-uris.

Add the fully qualified domain name (FQDN) of the host, for example, sample.bmc.com.

Click OK.

 

Configuring Chrome: Chrome will piggy back the setting from internet explorer, so configure IE on the PC.

 

When the browser configuration is done, test the login.

 

Troubleshooting Kerberos

There a a few things that can error out when configuring kerberos for Authentication. The troubleshoot these review the following docs url Troubleshooting authentication issues  We'll cover some further troubleshooting in this post, this troubleshooting section will be updated as and when new issues are found.

 

When pressing the Testing Tab On the RSSO console we get a failure to connect to the KDC

The first place to look at when this issue occurs is the RSSO server logs. Set the RSSO server to "Debug" mode got to General--->Basic setting and set "Server Log Level" to "DEBUG" wait for about 15 seconds, reproduce the problem. Then take a look at the RSSO server log on the RSSO server in tomcat/logs/rsso.0.log

 

In each of these section, we'll take a look at what a good log should look like first we can use that as a baseline to compare with a log that shows errors.

 

Pressing the "TEST" button on the RSSO admin console and getting a "Connect to KDC Successful" message

 

28 Feb 2018 23:41:51.454 INFO Thread_41 com.bmc.rsso.core.kerberos.KerberosHelper.testServiceLogin(): Checking Kerberos service login ...

28 Feb 2018 23:41:51.454 INFO Thread_41 com.bmc.rsso.core.kerberos.KerberosHelper.getSubject(): Getting Kerberos subject ...

.

28 Feb 2018 23:41:51.459 INFO Thread_41 com.bmc.rsso.core.kerberos.KerberosHelper.getSubject(): Starting login context, KDC:clm-aus-021891.diffdom.com, realm:DIFFDOM.COM, user:MYRSSOPRINCIPLE, initiator:true

.

.

28 Feb 2018 23:41:52.140 DEBUG Thread_41 com.bmc.rsso.core.kerberos.KerberosHelper.logSubject(): Kerberos subject obtained: Subject:

Principal: MYRSSOPRINCIPLE@DIFFDOM.COM

Private Credential: Ticket (hex) =

0000: 61 82 04 48 30 82 04 44   A0 03 02 01 05 A1 0D 1B  a..H0..D........

 

The above log shows successful connection to the KDC server from RSSO using the SPN user (MYRSSOPRINCIPLE) and shows the HEX value of the ticket the principle gets from the KDC

 

 

28 Feb 2018 23:45:34.330 INFO Thread_43 com.bmc.rsso.core.kerberos.KerberosHelper.getSubject(): Starting login context, KDC:clm-aus-021891.diffdom.com, realm:DIFFDOM.COM, user:MYRSSOPRINCIPLE, initiator:true

28 Feb 2018 23:45:34.330 INFO Thread_43 com.bmc.rsso.core.kerberos.KerberosHelper.getSubject(): Login using password

28 Feb 2018 23:45:34.360 SEVERE Thread_43 com.bmc.rsso.core.kerberos.KerberosHelper.testServiceLogin(): Could not obtain Kerberos subject

Details: Pre-authentication information was invalid (24)

 

The above shows a failed connection to the KDC in this instance the SPN password has been changed but not updated on the RSSO admin console The RSSO admin console will give you a message also saying this "Invalid SPN password. Check if SPN account password has been changed". However you might also see the message when

 

1. The SPN user is found on the KDC and the password is correct, but the KDC does not allow the connection

2. When specific user permissions are needed for the SPN user to connect to the KDC

 

In which case the above two point will need to be checked on the KDC side. You will need to speak to the doman admin to take a look at the windows event logs for kerberos messages.

By default kerberos related messages are not logged in windows event viewer it will need to specifically be enabled. This will need a registry change

 

Enabling Kerberos Event Logging on a Specific Computer

  1. Start Registry Editor.
  2. Add the following registry value:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    Registry Value: LogLevel
    Value Type: REG_DWORD
    Value Data: 0x1

    If the Parameters subkey does not exist, create it.

    Note Remove this registry value when it is no longer needed so that performance is not degraded on the computer. Also, you can remove this registry value to disable Kerberos event logging on a specific computer.
  3. Quit Registry Editor. The setting will become effective immediately on Windows Server 2003 and newer, and on Windows XP and newer. For Windows 2000, you must restart the computer.
  4. You can find any Kerberos-related events in the System & Security log.

 

Don't forget to remove this registry entry when done troubleshooting. See How to enable Kerberos event logging

 

 

When  trying to  run the KTpass command we get a message "KTPASS Getting error "Failed to retrieve user info for <UserName>: 0x5"

This is a KDC configuration issue. Running the following on the KDC powershell resolves this issue "add-kdsrootkey -EffectiveTime (Get-Date).AddHours(-10)" see Add-KdsRootKey

 

When logging into an application i.e. Midtier, MyIT  ADDM we get a pop-up prompting for username and password. This is either due to either the browser not configured correctly (see above) or the domain you are login in from is not the same domain as the users domain, or an issue with the application or the agent on the application. If the userID is seen in the RSSO user sessions list, this generally means the kerberos Authentication has been done, the next troubleshooting steps should be done on the application side. Check the application log and the rssoagent log found in tomcat/logs directory.

 

The tomcatX-stdout.<date>.log file on the RSSO server also provides useful information when troubleshooting kerberos, include this file in the troubleshooting log review. Messages like the below are logged in this file.

 

>>> KdcAccessibility: remove clm-aus-021891.diffdom.com

>>> KDCRep: init() encoding tag is 126 req type is 11

>>>KRBError:

sTime is Thu Mar 01 00:00:36 GMT 2018 1519862436000

suSec is 121556

error code is 25

error Message is Additional pre-authentication required

sname is krbtgt/DIFFDOM.COM@DIFFDOM.COM

eData provided.

msgType is 30

 

We can see the SPN ticket in the rssoserver log, but users are not able to login. Use the klist command from the command prompt and see if a user can request a ticket directly from the KDC outside of RSSO see Klist