5 Replies Latest reply on Sep 29, 2013 11:43 PM by Omkar Karavade

    BBSA and AD Kerberos Authentication

    Omkar Karavade

      Hi Team,

       

      I am trying to use AD/Kerberos authentication for BBSA console login in a test environment. I have gone through the documentation and have a few questions.

       

      1. My Application server is Linux and is not in domain. My AD server is Win2K8 SP2 and I have installed the console on that server. Is it necessary that the application server should also be a part of the domain for the authentication to work. I have gone through the documentation but couldn't find anything related to it.

       

      2. Also if I want to use the console from a non-domain client Windows/Linux will it work?

       

      I have completed the required configuration on the application server as well as the client side(Win2K8) server. The application server is reading the configuration files and I don't have issues there.

       

      But, when I am opening the console on the Windows box it is not populating the user name in the login box as it is supposed to do.

       

      Also when I am trying to validate the credentials using kinit <user name> it is giving me a error as "krb_error 0 Checksum fa.iled No error".

       

      I am able to execute this step on the appserver successfully using the kinit -k -t command.

       

      Can anybody put some light on this. I am attaching the client conf files with this post.

       

      Thanks in advance

        • 1. Re: BBSA and AD Kerberos Authentication

          Omkar,

           

          When you say:

           

          1. My Application server is Linux and is not in domain. My AD server is Win2K8 SP2 and I have installed the console on that server. Is it necessary that the application server should also be a part of the domain for the authentication to work. I have gone through the documentation but couldn't find anything related to it.


          Also you did the configuration of AD:


          Where you executed the steps of AD? On domain Server of Application Server?

          • 2. Re: BBSA and AD Kerberos Authentication
            Omkar Karavade

            Hi Pravin,

             

            Thanks for the reply. I have done the configuration of AD on the domain server itself. Also now I have done with the testing of domain authentication and that is working smoothly. I only have problem with the AD/Kerberos authentication.

            • 3. Re: BBSA and AD Kerberos Authentication

              Hi Omkar,

               

              To answer you questions:

              1) Yes you can use an appserver which is not part of the Domain.

              Make sure that there is no time difference between the appserver and DC server.

              2) You client has to be part of Domain. Since in AD/Kerberos, the credentials will be fetched for the user which you are logged in as. Which would be a domain user.

               

              On the client side, check for the following:

              1) For 2008 server Browse to \HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

              Registry key  "AllowTgtSessionKey" REG_DWORD value is created and set to 1.


              2) config.properties file needs to have the following entries:

              java.security.krb5.conf=C\:\\Program Files\\BMC Software\\......\\NSH\\br\\blclient_krb5.conf

              java.security.auth.login.config=C\:\\Program Files\\BMC Software\\.....\NSH\\br\\blclient_login.conf

              javax.security.auth.useSubjectCredsOnly=false


              3) blclient_login.conf and blclient_krb5.conf files needs to be present on the client and the paths are to be specified on in the config.properties file in format as mentioned above.

              • 4. Re: BBSA and AD Kerberos Authentication

                Hi Omkar,

                 

                Just checked the files that are attached:

                 

                blclient_login.conf file doesn't have entries relevant to client. These entries which you are specifying are for blappserv_login.conf.

                For blclient_login.conf try the following entries:

                com.sun.security.jgss.initiate {

                    com.sun.security.auth.module.Krb5LoginModule required

                        doNotPrompt=true

                        debug=false

                        useTicketCache=true;

                };


                blclient_krb5.conf looks alright.

                • 5. Re: BBSA and AD Kerberos Authentication
                  Omkar Karavade

                  Hi Anurag,

                   

                  Thanks for your reply. I will give this a try and update here. Currently I am stuck with another issue which is more important.

                   

                  Can you please check this thread and let me know if you have some idea about it.

                   

                  ESXi 5.0 Provisioning