IBM Verify

 View Only

 Verify Access configuration for SPNEGO when Kerberos Realm and user UPN suffix differ

James Smith's profile image
James Smith posted Fri November 29, 2024 03:50 PM

I'm setting up SPNEGO on Verify Access.  The Kerberos realm is company.old.tld and they have a DNS domain for that as well.   

However, they have another DNS domain company.new.tld and they have configured this as an alternative UPN suffix in Active Directory, and ALL the users are using this new second domain.

When SPNEGO goes to look up the users in Active Directory, it looks for username@company.old.tld.  Since they are all using the second domain in their User Principcal Name, it cannot find the user.  The user gets the error "HPDIA0114E could not acquire a client credential".  It would need to search for username@company.new.tld.  I know the SPNEGO configuration works because if I change a user's UPN back to the old domain, they are able to log in with SSO.

I already tried configuring the default_domain in the Kerberos configuration to the alternative suffix but that didn't change the lookups.  I also tried added a domain-to-realm mapping but that also had no effect.  It seems Verify Access just takes the client name in the Kerberos ticket, assumes the realm name is going to be the domain name and searches for that.  Is there a way to alter this lookup, perhaps with an infomap?

James Smith's profile image
James Smith posted Tue December 03, 2024 10:41 AM

After doing some research into Kerberos EAI to handle this issue, and having IBM support suggest that as an option too, I tried an alternative.  Having to set up an external application to handle the Kerberos authentication is just one more piece of infrastructure that can break, so I wanted to avoid that option and find something built into Verify Access.

Instead, I configured the reverse proxy SPNEGO config to remove the Kerberos realm, by setting use-domain-qualified-name to "no".  Then I configured a user map ping to add the new domain name onto the identity name.  This seems to work, I just need to figure out if this is supported by IBM.

<?xml version="1.0" encoding='UTF-8'?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser" version="1.0">

    <!-- Required to constrain output of rule evaluation -->
    <xsl:output method="xml" omit-xml-declaration="yes" encoding='UTF=8' indent="no"/>

    <!-- Need this to ensure default text node printing is off -->
    <xsl:template match="text()"></xsl:template>

    <!-- Let's make it easier by matching the constant part of our XML name -->
    <xsl:template match="/XMLUMI/stsuuser:STSUniversalUser/stsuuser:AttributeList">
    <identity><xsl:value-of select="/XMLUMI/stsuuser:STSUniversalUser/stsuuser:Principal/stsuuser:Attribute[@name='name']/stsuuser:Value"/>@company.new.tld</identity> 
    </xsl:template>
</xsl:stylesheet>

Reverse Proxy config updates

[user-map-authn]
rules-file = map-kerberos-to-upn.xsl

Also update the [spnego] stanza value below:
use-domain-qualified-name = no

Related Content