9 Replies Latest reply on Dec 16, 2010 3:57 PM by Bill Robinson

    Need help in implementing Domain Authentication

    Amir Khamis

      Hello,

      I need to be able to login to BL8 SP7 using my domain user account.

      I followed the BL Admin guide on page 154 and here is exactly what I did:
      ******************************************************************************************************************************************

      C:\Users\ami295>nslookup -type=srv _kerberos._tcp.ad.priority-health.com
      Server:  sado.ad.priority-health.com
      Address:  10.50.8.11

      _kerberos._tcp.ad.priority-health.com   SRV service location:
                priority       = 0
                weight         = 100
                port           = 88
                svr hostname   = dunk.ad.priority-health.com
      _kerberos._tcp.ad.priority-health.com   SRV service location:
                priority       = 0
                weight         = 100
                port           = 88
                svr hostname   = sado.ad.priority-health.com
      _kerberos._tcp.ad.priority-health.com   SRV service location:
                priority       = 0
                weight         = 100
                port           = 88
                svr hostname   = pine.ad.priority-health.com
      _kerberos._tcp.ad.priority-health.com   SRV service location:
                priority       = 0
                weight         = 100
                port           = 88
                svr hostname   = kozu.ad.priority-health.com
      dunk.ad.priority-health.com     internet address = 10.50.8.70
      sado.ad.priority-health.com     internet address = 10.50.8.11
      pine.ad.priority-health.com     internet address = 10.50.9.63
      kozu.ad.priority-health.com     internet address = 10.50.137.10

      C:\Users\ami295>ad.priority-health.com

      ******************************************************************************************************************************************

      here is the 2 files I created:

      [root@tusk br]# cat blappserv_kbr5.conf blappserv_login.conf
      [libdefaults]
      ticket_lifetime = 6000
      default_realm = ad.priority-health.com
      [realms]
      USERS_REALM = {
      kdc = sado.ad.priority-health.com:88
      kdc = pine.ad.priority-health.com:88
      kdc = dunk.ad.priority-health.com:88
      kdc = cozu.ad.priority-health.com:88
      }
      [domain_realm]
      .ad.priority-health.com = ad.priority-health.com
      com.bladelogic.auth.service.ADKerberosPasswordLogin {
      com.sun.security.auth.module.Krb5LoginModule required
      doNotPrompt=false
      useTicketCache=false
      debug=true;
      ******************************************************************************************************************************************
      here is my AuthServer setting in blasadmin:

      [AuthServer]
      ActiveDirectoryLdapUrl:
      ActiveDirectorySearchBase:
      AppServiceURLs:
      AuthSvcKrb5Config:blappserv_krb5.conf
      AuthSvcKrb5LoginConfig:blappserv_login.conf
      AuthSvcPort:9840
      AuthSvcSocketTimeout:75
      AuthSvcSocketsBindAddress:all
      IsADKAuthEnabled:false
      IsActiveDirectoryLdapCheckEnabled:
      IsDomainAuthEnabled:true
      IsLdapAuthEnabled:
      IsSRPAuthEnabled:true
      IsSSOCredRefreshEnabled:true
      IsSecurIdAuthEnabled:
      IsSsoRefreshHostnameCheckEnabled:
      LdapUserDnTemplate:
      LdapUserValidationFilter:
      MaxAuthSvcContexts:20
      MaxAuthSvcThreads:3
      MaximumSessionCredentialLifetime:
      ProxyServiceURLs:
      ReportServiceURLs:
      SessionCredentialLifetime:
      ******************************************************************************************************************************************
      using RBACAdmin I created an automation pricipal:

      Name: ad.priority-health.com

      Pricipal ID: ami295

      Domain: ad.priority-health.com

      Passphrase: my domain password

      Confirm:my domain password

       

      i also created a BL account and called it:

      ami295@ad.priority-health.com

      and I have a check mark next to Allow Active Directory Authentication.

      ******************************************************************************************************************************************

      I created an Authentication Profile that will use Domain Authentication as the Authentication Method.

      ******************************************************************************************************************************************

      I tried to login using my domain user in this case phnt/ami295 with no luck, I see this in the appserver log:

      [Appserver] Cannot get kdc for realm AD.PRIORITY-HEALTH.COM

      if I try to login using AD.PRIORITY-HEALTH.COM as my domain

      or

      [Appserver] Cannot get kdc for realm AD.PRIORITY-HEALTH.COM

      if I try to login using PHNT as my domain 

       

      ******************************************************************************************************************************************

       

      can you please see what i am doing wrong?

       

      thanks

        • 1. Need help in implementing Domain Authentication
          Bill Robinson

          [realms]

          USERS_REALM = {

          kdc = sado.ad.priority-health.com:88

          kdc = pine.ad.priority-health.com:88

          kdc = dunk.ad.priority-health.com:88

          kdc = cozu.ad.priority-health.com:88

          }

          [domain_realm]

          .ad.priority-health.com = ad.priority-health.com

           

          those sections are wrong.  i don't think it's 'USERS_REALM'

           

          also, the right side of domain_realm should be all caps.

          • 2. Need help in implementing Domain Authentication
            Amir Khamis

            Thanks Bill.

            I coorected my blappserv_kbr5.conf to:

            ******************************************************************************************************************************************

            [libdefaults]

            ticket_lifetime = 6000

            default_realm = AD.PRIORITY-HEALTH.COM

            [realms]

            AD.PRIORITY-HEALTH.COM = {

            kdc = sado.ad.priority-health.com:88

            kdc = pine.ad.priority-health.com:88

            kdc = dunk.ad.priority-health.com:88

            kdc = cozu.ad.priority-health.com:88

            }

            [domain_realm]

            .ad.priority-health.com = AD.PRIORITY-HEALTH.COM [libdefaults]
            ******************************************************************************************************************************************

            still having problem to login. can you please provide me with what is needed to be created in RBAC for user and automation principal I mentioned above? maybe that is also wrong on my side.

             

            thanks

            • 3. Need help in implementing Domain Authentication
              Amir Khamis

              guys, I am still stuck with this, any help is greatly appreciated

              thanks

              • 4. Re: Need help in implementing Domain Authentication
                Bill Robinson

                Can you telnet to port 88 on all the kdcs from the appserver?

                 

                I think the rbac account name should be like ‘User@DOMAIN.COM

                 

                Is there anything in the appserver logs that shows an error?

                • 5. Re: Need help in implementing Domain Authentication
                  Antonio Caputo

                  Amir,

                  did you created the blappserv_login.conf?

                   

                  It should be like this:

                   

                  cat blappserv_login.conf

                  com.bladelogic.auth.service.ADKerberosPasswordLogin {

                  com.sun.security.auth.module.Krb5LoginModule required

                  doNotPrompt=false

                  useTicketCache=false

                  debug=false;

                   

                  };

                  • 6. Re: Need help in implementing Domain Authentication
                    Amir Khamis

                    Thanks guys for getting back, sorry for replying late, here are the 2 files i have:

                    [root@tusk br]# cat blappserv_kbr5.conf blappserv_login.conf

                    [libdefaults]

                    ticket_lifetime = 6000

                    default_realm = AD.PRIORITY-HEALTH.COM

                    [realms]

                    AD.PRIORITY-HEALTH.COM = {

                    kdc = sado.AD.PRIORITY-HEALTH.COM:88

                    kdc = pine.AD.PRIORITY-HEALTH.COM:88

                    kdc = dunk.AD.PRIORITY-HEALTH.COM:88

                    kdc = cozu.AD.PRIORITY-HEALTH.COM:88

                    }

                    [domain_realm]

                    .ad.priority-health.com = AD.PRIORITY-HEALTH.COM

                    com.bladelogic.auth.service.ADKerberosPasswordLogin {

                    com.sun.security.auth.module.Krb5LoginModule required

                    doNotPrompt=false

                    useTicketCache=false

                    debug=false;

                    };

                    • 7. Re: Need help in implementing Domain Authentication

                      Hi,

                       

                      In my

                      blappserv_kbr5.conf file I also have these two lines under the libdefaults section:

                              default_tkt_enctypes = des-cbc-md5

                              default_tgs_enctypes = des-cbc-md5

                       

                      Also if you set the debug= to true and restart your BL server is there any more information in the appserver.log file?

                      • 8. Re: Need help in implementing Domain Authentication
                        Bill Robinson

                        a couple more things to try:

                         

                        Can you get to port 88 on udp on the domain controllers? (i think if you use telnet it's going to use tcp so you might need to talk to a firewall admin)

                         

                        also, try adding:

                        dns_lookup_kdc = true in the [libdefaults] section.

                         

                        you can google for your "cannot find kdc for requested realm" error - that is a java/kerberos message, not specific to bladelogic.

                         

                        the

                        default_tkt/tgs settings are not required in 8.0 as we now auto-negotiate the encryption settings.

                        • 9. Re: Need help in implementing Domain Authentication
                          Bill Robinson

                          The solution here is to make sure the file names are spelled right .

                           

                          There is an error in the appserver.log about this, but it shows up as a WARN and does not stop the appserver from starting.

                           

                          the error about not finding a kdc for realm was the tip off about it not reading the krb5 file though.