vADC Forum

Reply
New Contributor
Posts: 4
Registered: ‎11-19-2013
Accepted Solution

Has anyone used Kerberos Delegation in Stingray 9.7

I have been trying to make this work, bet every time I enable it, all I get is a 500 error.

I created a keytab and SPN for the LB, and the service starts happily.

SSL Decrypt is enabled, with require certificate.

But every time I enable 'kerberos_protocol_transition!enabled' on the VS, all I get is a 500 error.

I know the feature is new, but has anyone else had a chance to try it?

Cheers

Brocadian
Posts: 225
Registered: ‎07-04-2013

Re: Has anyone used Kerberos Delegation in Stingray 9.7

If you have request logs enabled on the virtual server that you are having problems with, the reason for the 500 error should be recorded (including if it is, as it is likely to be in this case, related to Kerberos protocol transition).

When configuring Kerberos protocol transition, you are required to, somewhere (virtual server, pool or TrafficScript), specify three principals:

  1. The principal (and configuration) for the traffic manager to use with protocol transition (configured by specifying the name of the appropriate entry in the Kerberos catalog).
  2. The target principal name of the service provide by the pool nodes.
  3. The client principal name of the client connecting to the traffic manager.

Client principal name (3) will be extracted from a client certificate acquired via TLS - in this configuration the traffic manager must authenticate the client via TLS client certificate authentication.  This principal name is expected to be encoded in a certificate as a subject alternative name annotated as a szOID_NT_PRINCIPAL_NAME type (documented in Object IDs associated with Microsoft cryptography) following the guidelines for smart-card based login (for more details see Guidelines for enabling smart card logon with third-party certification authorities).

New Contributor
Posts: 4
Registered: ‎11-19-2013

Re: Has anyone used Kerberos Delegation in Stingray 9.7

I have request logging enabled, but its not much help. 

This is an example of the output, I changed it to stingray extended format.

-|10.25.6.238|GET /|-|500|-|630|-|-|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)

-|10.25.6.238|GET /alfresco/|-|500|-|630|JSESSIONID=1E02ADBF9F015C728749F2BB2E75B0C0|-|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)

-|10.25.6.238|GET /share/|-|500|-|630|JSESSIONID=7490CC6D7E17B504DFE98F60902EC013; _alfTest=_alfTest; alfLogin=1410773796|-|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)



The Client certificate is a standard User certificate from AD Certificate Services.  I will need to look a bit deeper to see if it uses the correct OIDs etc.

I've also added a traffic script to dump all the headers, and the User Principle Name is not part of it. This must be where its going wrong. 

Cheers

Brocadian
Posts: 225
Registered: ‎07-04-2013

Re: Has anyone used Kerberos Delegation in Stingray 9.7

I have request logging enabled, but its not much help.  

You're completely right, I told you to enable the wrong type of logging (sorry!) - what we need is the connection error logging enabled for the virtual server - log!server_connection_failures - found under Connection Management > Connection Error Settings.


I've also added a traffic script to dump all the headers, and the User Principle Name is not part of it. This must be where its going wrong.


You can use the TrafficScript function http.kerberos.getClientPrincipalName() to determine what client principal name is going to be used by the traffic manager (if the empty string is returned then that is a good indication that the traffic manager has not been able to extract the principal name from the certificate).

New Contributor
Posts: 4
Registered: ‎11-19-2013

Re: Has anyone used Kerberos Delegation in Stingray 9.7

Thanks, I was getting the error...

> Key version number for principal in key table is incorrect

Apparently, when generating the keytab, specifying the kvno number does not work. It must auto increment regardless of what you specify.

I generated and uploaded a new keytab, and the 500 errors are gone.

The certificate also works, its showing the correct username under getClientPrincipalName

I just need to figure out why its trying to login to the server using the TMs principle name, rather then the client.

Cheers

Brocadian
Posts: 225
Registered: ‎07-04-2013

Re: Has anyone used Kerberos Delegation in Stingray 9.7


The certificate also works, its showing the correct username under getClientPrincipalName


That's good news - thanks for sharing!


I just need to figure out why its trying to login to the server using the TMs principle name, rather then the client.


I wouldn't expect that; the only thing I can think of to check would be that the TMs account is correctly configured for delegation - that said if it wasn't I would expect the S4U2Proxy exchange to result in an error, rather than a ticket for itself to the target service.

New Contributor
Posts: 4
Registered: ‎11-19-2013

Re: Has anyone used Kerberos Delegation in Stingray 9.7

Hi,

I have it working now, it was an issue with the configuration of the service account.

I had set 'Trust this user for delegation to specified services only', but I hadn't set 'Use any authentication protocol' (which is important, as its the thing that enables Protocol Transition)

Thanks for all your help.

Cheers

Aftab

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.