In a Kerberos environment, the client requests a Kerberos service ticket to authenticate against this kerberized service. With Airlock IAM Front-side Kerberos, the Loginapp is the kerberized web application, which authenticates the clients. This requires that a system user is created for IAM for which the service principal name (SPN) is registered.
Create system user
- Go to Administrative Tools, select Active Directory Users and Computers and create a user for Airlock IAM (e.g. syskerb-airlock-a).
- Configure the following settings on the user:
User cannot change password is enabled
Password never expires is enabled
Account is disabled is NOT enabled
This account supports Kerberos AES 256 bit encryption is enabled
Administrators wanting to create the user with PowerShell can use the following snippet:
function create_systemuser ($_systemuser_name, $_etype, $_systemuser_password){
New-ADUser -Name ${_systemuser_name} `
-Enabled $True `
-CannotChangePassword $True `
-PasswordNeverExpires $True `
-KerberosEncryptionType ${_etype} `
-AccountPassword (ConvertTo-SecureString "${_systemuser_password}" -asplaintext -force)
}
$systemuser_password = "STRONG_PASSWORD"
$encryption_type = "AES256"
create_systemuser "syskerb-airlock-a" `
${encryption_type} `
${systemuser_password}As this is a very important user, a strong password is highly recommended!
Register SPN for the system user
A client requests a Kerberos service ticket from the Active Directory Domain Controller in order to access a kerberized web application. This Kerberos service ticket is issued for a service principal name (SPN) which must match the FQDN of the domain being accessed by the browser.
The SPN always starts with HTTP/ (no matter whether the URL is HTTP or HTTPS), followed by the fully-qualified domain name (without any port or path information). For example, the SPN for the URL https://a.airlock.com/auth-login/check-spnego would be HTTP/a.airlock.com
The SPN must be registered to the previously created System User.
To add an SPN for domain a.airlock.com, execute the following command in the PowerShell:
copy
setspn -s HTTP/a.airlock.com syskerb-airlock-a
- For the encryption types AES 128 and AES 256 a salt is required by the OS. Windows uses the UserPrincipalName, which is set to the registered SPN by executing this command. Because of this, a separate system user is required for each SPN!
- An SPN can be registered only for one object (user or machine account). The SPN registration may fail or the authentication attempts may result in strange behavior if the SPN is registered several times. To find the object an SPN is registered to, run the command
setspn -Q HTTP/a.airlock.com. An SPN can be deleted from an object by running the commandsetspn -D HTTP/a.airlock.com username
To retrieve important information about the system user, execute the command below (example output is displayed):
copy
PS C:\> Get-ADUser syskerb-airlock-a -property userPrincipalName,sAMAccountName,pwdLastSet,servicePrincipalName,msDS-SupportedEncryptionTypes,msDS-KeyVersionNumber
DistinguishedName : CN=syskerb-airlock-a,CN=Users,DC=airlock,DC=com
Enabled : True
GivenName :
msDS-KeyVersionNumber : 3
msDS-SupportedEncryptionTypes : 16
Name : syskerb-airlock-a
ObjectClass : user
ObjectGUID : 2a0d9e42-fbfb-4f55-b8c7-a17493f91038
pwdLastSet : 131807014257991663
SamAccountName : syskerb-airlock-a
servicePrincipalName : {HTTP/a.airlock.com}
SID : S-1-5-21-146862041-1632464460-2791201798-1138
Surname :
UserPrincipalName : HTTP/a.airlock.com@AIRLOCK.COMCreate the keytab file
The following steps are required to create a keytab file, which is used later in the IAM configuration. The following PowerShell function simplifies the creation steps:
PowerShell: Helper function to create a keytab file
copy
function create_keytab_file ($_princ, $_mapuser, $_etype, $_password, $_outfile) {
$_tmp_file = $_outfile + ".tmp"
$_tmp_file_name = [System.IO.Path]::GetFileName($_tmp_file)
If (Test-Path ${_outfile}) {
If (Test-Path ${_tmp_file}) { Remove-Item ${_tmp_file} }
Rename-Item -Path $_outfile -NewName ${_tmp_file_name}
ktpass /in ${_tmp_file} `
/out ${_outfile} `
/princ ${_princ} `
/mapuser ${_mapuser} `
/ptype KRB5_NT_PRINCIPAL `
/crypto ${_etype} `
/DumpSalt `
/pass ${_password}
}
Else {
ktpass /out ${_outfile} `
/princ ${_princ} `
/mapuser ${_mapuser} `
/ptype KRB5_NT_PRINCIPAL `
/crypto ${_etype} `
/DumpSalt `
/pass ${_password}
}
If (Test-Path ${_tmp_file}) { Remove-Item ${_tmp_file} }
}To create the keytab file, do the following:
- Sign in as Domain Administrator on the Domain Controller.
- Open a PowerShell and copy & paste the helper function above.
- Run the following command to create a keytab file for the SPN
HTTP/a.airlock.com:
copy
$systemuser_password = "STRONG_PASSWORD"
$keytab_file = "C:\tmp\airlock.com.keytab"
$etype = "AES256-SHA1"
create_keytab_file HTTP/a.airlock.com@AIRLOCK.COM `
syskerb-airlock-a@AIRLOCK.COM `
${etype} `
${systemuser_password} `
${keytab_file}The example below shows how to create a keytab file containing more than one SPN. Assume that the SPN HTTP/b.airlock.com is registered to the syskerb-airlock-b user.
Example: How to create a keytab file with more than one SPN
$systemuser_password = "STRONG_PASSWORD"
$keytab_file = "C:\tmp\airlock.com.keytab"
$etype = "AES256-SHA1"
create_keytab_file HTTP/a.airlock.com@AIRLOCK.COM `
syskerb-airlock-a@AIRLOCK.COM `
${etype} `
${systemuser_password} `
${keytab_file}
create_keytab_file HTTP/b.airlock.com@AIRLOCK.COM `
syskerb-airlock-b@AIRLOCK.COM `
${etype} `
${systemuser_password} `
${keytab_file}Keep in mind that the keytab file contains sensitive key material and should be protected appropriately.