In a Kerberos environment, the client requests a Kerberos service ticket to authenticate against this kerberized service. With Airlock IAM Front-side Kerberos, the Loginapp is the kerberized web application, which authenticates the clients. This requires that a system user is created for IAM for which the service principal name (SPN) is registered.
Create system user
- Go to Administrative Tools, select Active Directory Users and Computers and create a user for Airlock IAM (e.g. syskerb-airlock-a).
- Configure the following settings on the user:
User cannot change password is enabled
Password never expires is enabled
Account is disabled is NOT enabled
This account supports Kerberos AES 256 bit encryption is enabled
Administrators wanting to create the user with PowerShell can use the following snippet:
function create_systemuser ($_systemuser_name, $_etype, $_systemuser_password){ New-ADUser -Name ${_systemuser_name} ` -Enabled $True ` -CannotChangePassword $True ` -PasswordNeverExpires $True ` -KerberosEncryptionType ${_etype} ` -AccountPassword (ConvertTo-SecureString "${_systemuser_password}" -asplaintext -force) } $systemuser_password = "STRONG_PASSWORD" $encryption_type = "AES256" create_systemuser "syskerb-airlock-a" ` ${encryption_type} ` ${systemuser_password}
As this is a very important user, a strong password is highly recommended!
Register SPN for the system user
A client requests a Kerberos service ticket from the Active Directory Domain Controller in order to access a kerberized web application. This Kerberos service ticket is issued for a service principal name (SPN) which must match the FQDN of the domain being accessed by the browser.
The SPN always starts with HTTP/
(no matter whether the URL is HTTP or HTTPS), followed by the fully-qualified domain name (without any port or path information). For example, the SPN for the URL https://a.airlock.com/auth-login/check-spnego
would be HTTP/a.airlock.com
The SPN must be registered to the previously created System User.
To add an SPN for domain a.airlock.com, execute the following command in the PowerShell:
- For the encryption types AES 128 and AES 256 a salt is required by the OS. Windows uses the UserPrincipalName, which is set to the registered SPN by executing this command. Because of this, a separate system user is required for each SPN!
- An SPN can be registered only for one object (user or machine account). The SPN registration may fail or the authentication attempts may result in strange behavior if the SPN is registered several times. To find the object an SPN is registered to, run the command
setspn -Q HTTP/a.airlock.com
. An SPN can be deleted from an object by running the commandsetspn -D HTTP/a.airlock.com username
To retrieve important information about the system user, execute the command below (example output is displayed):
Create the keytab file
The following steps are required to create a keytab file, which is used later in the IAM configuration. The following PowerShell function simplifies the creation steps:
PowerShell: Helper function to create a keytab file
To create the keytab file, do the following:
- Sign in as Domain Administrator on the Domain Controller.
- Open a PowerShell and copy & paste the helper function above.
- Run the following command to create a keytab file for the SPN
HTTP/a.airlock.com
:
The example below shows how to create a keytab file containing more than one SPN. Assume that the SPN HTTP/b.airlock.com
is registered to the syskerb-airlock-b
user.
Example: How to create a keytab file with more than one SPN
$systemuser_password = "STRONG_PASSWORD" $keytab_file = "C:\tmp\airlock.com.keytab" $etype = "AES256-SHA1" create_keytab_file HTTP/a.airlock.com@AIRLOCK.COM ` syskerb-airlock-a@AIRLOCK.COM ` ${etype} ` ${systemuser_password} ` ${keytab_file} create_keytab_file HTTP/b.airlock.com@AIRLOCK.COM ` syskerb-airlock-b@AIRLOCK.COM ` ${etype} ` ${systemuser_password} ` ${keytab_file}
Keep in mind that the keytab file contains sensitive key material and should be protected appropriately.