IBM Security Verify

Hi all,

I have a doubt about multiple kerberos entrys in webseal conf.
Can i do that?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Hi Alexandre,

What you're trying to do is not supported.  You can only specify a single .keytab file and kerberos-principal-name for Kerberos SSO authentication to junctioned servers.  This means that the same kerberos principal must be used for generation of delegated tickets across all junctions.

The kerberos-service-name can be specified per junction.  This means that each back end service that you delegate to can have a different SPN.

What is your use case? Why do you need to specify so many principals?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu March 04, 2021 10:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi all,

I have a doubt about multiple kerberos entrys in webseal conf.
Can i do that?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Hi Jon,

I have more than one backend servers that need to use Kerberos SSO, all of them behind different IIS servers.
I created a user called isva in my Active Directory, i executed ktpass and i delegated the all servers for this user.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Original Message:
Sent: Thu March 04, 2021 01:26 PM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Hi Alexandre,

What you're trying to do is not supported.  You can only specify a single .keytab file and kerberos-principal-name for Kerberos SSO authentication to junctioned servers.  This means that the same kerberos principal must be used for generation of delegated tickets across all junctions.

The kerberos-service-name can be specified per junction.  This means that each back end service that you delegate to can have a different SPN.

What is your use case? Why do you need to specify so many principals?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 10:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi all,

I have a doubt about multiple kerberos entrys in webseal conf.
Can i do that?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Alexandre,

Creating a single principal for ISAM (in a single keytab) and using as the "master" for all of the delegations to different backends should work fine.

So, hoping your answer above means you have it working.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu March 04, 2021 01:50 PM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

I have more than one backend servers that need to use Kerberos SSO, all of them behind different IIS servers.
I created a user called isva in my Active Directory, i executed ktpass and i delegated the all servers for this user.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Thu March 04, 2021 01:26 PM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Hi Alexandre,

What you're trying to do is not supported.  You can only specify a single .keytab file and kerberos-principal-name for Kerberos SSO authentication to junctioned servers.  This means that the same kerberos principal must be used for generation of delegated tickets across all junctions.

The kerberos-service-name can be specified per junction.  This means that each back end service that you delegate to can have a different SPN.

What is your use case? Why do you need to specify so many principals?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 10:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi all,

I have a doubt about multiple kerberos entrys in webseal conf.
Can i do that?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Hi Jon,

How do i do that?
Executing ktpass with these parameters? such as ktpass -out C:\isva.keytab -princ HTTP/isva@AD_DOMAIN.COM
-mapUser AD_DOMAIN\isva -mapOp set -pass XXX -pType KRB5_NT_PRINCIPAL
And i need to do all differents delegations backends on this user "isva", right?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Original Message:
Sent: Fri March 05, 2021 07:53 AM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Alexandre,

Creating a single principal for ISAM (in a single keytab) and using as the "master" for all of the delegations to different backends should work fine.

So, hoping your answer above means you have it working.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 01:50 PM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

I have more than one backend servers that need to use Kerberos SSO, all of them behind different IIS servers.
I created a user called isva in my Active Directory, i executed ktpass and i delegated the all servers for this user.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Thu March 04, 2021 01:26 PM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Hi Alexandre,

What you're trying to do is not supported.  You can only specify a single .keytab file and kerberos-principal-name for Kerberos SSO authentication to junctioned servers.  This means that the same kerberos principal must be used for generation of delegated tickets across all junctions.

The kerberos-service-name can be specified per junction.  This means that each back end service that you delegate to can have a different SPN.

What is your use case? Why do you need to specify so many principals?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 10:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi all,

I have a doubt about multiple kerberos entrys in webseal conf.
Can i do that?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

That's right !

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Fri March 05, 2021 08:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

How do i do that?
Executing ktpass with these parameters? such as ktpass -out C:\isva.keytab -princ HTTP/isva@AD_DOMAIN.COM
-mapUser AD_DOMAIN\isva -mapOp set -pass XXX -pType KRB5_NT_PRINCIPAL
And i need to do all differents delegations backends on this user "isva", right?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Fri March 05, 2021 07:53 AM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Alexandre,

Creating a single principal for ISAM (in a single keytab) and using as the "master" for all of the delegations to different backends should work fine.

So, hoping your answer above means you have it working.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 01:50 PM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

I have more than one backend servers that need to use Kerberos SSO, all of them behind different IIS servers.
I created a user called isva in my Active Directory, i executed ktpass and i delegated the all servers for this user.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Thu March 04, 2021 01:26 PM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Hi Alexandre,

What you're trying to do is not supported.  You can only specify a single .keytab file and kerberos-principal-name for Kerberos SSO authentication to junctioned servers.  This means that the same kerberos principal must be used for generation of delegated tickets across all junctions.

The kerberos-service-name can be specified per junction.  This means that each back end service that you delegate to can have a different SPN.

What is your use case? Why do you need to specify so many principals?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 10:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi all,

I have a doubt about multiple kerberos entrys in webseal conf.
Can i do that?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Hi Jon,

As i mentioned in my last note, i opened a support case.
Could you help me there?
I'm stucked on this configuration.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Original Message:
Sent: Mon March 08, 2021 10:10 AM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

That's right !

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Fri March 05, 2021 08:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

How do i do that?
Executing ktpass with these parameters? such as ktpass -out C:\isva.keytab -princ HTTP/isva@AD_DOMAIN.COM
-mapUser AD_DOMAIN\isva -mapOp set -pass XXX -pType KRB5_NT_PRINCIPAL
And i need to do all differents delegations backends on this user "isva", right?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Fri March 05, 2021 07:53 AM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Alexandre,

Creating a single principal for ISAM (in a single keytab) and using as the "master" for all of the delegations to different backends should work fine.

So, hoping your answer above means you have it working.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 01:50 PM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

I have more than one backend servers that need to use Kerberos SSO, all of them behind different IIS servers.
I created a user called isva in my Active Directory, i executed ktpass and i delegated the all servers for this user.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Thu March 04, 2021 01:26 PM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Hi Alexandre,

What you're trying to do is not supported.  You can only specify a single .keytab file and kerberos-principal-name for Kerberos SSO authentication to junctioned servers.  This means that the same kerberos principal must be used for generation of delegated tickets across all junctions.

The kerberos-service-name can be specified per junction.  This means that each back end service that you delegate to can have a different SPN.

What is your use case? Why do you need to specify so many principals?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 10:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi all,

I have a doubt about multiple kerberos entrys in webseal conf.
Can i do that?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Hi Alexandre,

I'm not sure what else I can say.  Let me try.

To start:
- You have a set of HTTP services and for each one you have an SPN (probably HTTP/serverx.domain.com@DOMAIN.COM)
- You have a user in AD to represent ISVA (user is "isamkrb")

1. You run the ktpass command to set an SPN for this user and generate a keytab:

ktpass -out isamkrb.keytab -princ HTTP/isam.domain.com@DOMAIN.COM -mapuser isamkrb@DOMAIN.COM -mapOp set -pass some_long_password -pType KRB5_NT_PRINCIPAL

You can check SPN with "setspn -UL isamkrb" and "setspn -Q HTTP/isam.domain.com@DOMAIN.COM"

2. Use AD tools to enable delegation for the isamkrb user - so it can delegate to the SPNs for the target services.
You must set "Trust this user for delegation to specified services only" and "Use any authentication protocol"

3. You set your ISAM system is configured to use AD DNS.

4. You configure Kerberos in ISAM system
 Create realm = DOMAIN.COM
    Set property kdc = domain_controller.domain.com

  Set Default: default_realm = DOMAIN.COM
  You should be able to test setup by testing with isamkrb and its password.

5.   Import isamkrb.keytab keytab file
       You should be able to test by authenticating with the keytab and principal name HTTP/isam.domain.com

6. In Reverse Proxy, configure common Kerberos SSO config:

kerberos-sso-enable = true
kerberos-keytab-file = isamkrb.keytab
kerberos-principal-name = HTTP/isam.domain.com@DOMAIN.COM

6. For each junction where you will use Kerberos SSO add this junction-specific configuration:

[junction:/my_serverx_junction]
kerberos-service-name = HTTP/serverx.domain.com@DOMAIN.COM

That should do it.  I hope it helps you get this working.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu March 11, 2021 10:04 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

As i mentioned in my last note, i opened a support case.
Could you help me there?
I'm stucked on this configuration.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Mon March 08, 2021 10:10 AM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

That's right !

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Fri March 05, 2021 08:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

How do i do that?
Executing ktpass with these parameters? such as ktpass -out C:\isva.keytab -princ HTTP/isva@AD_DOMAIN.COM
-mapUser AD_DOMAIN\isva -mapOp set -pass XXX -pType KRB5_NT_PRINCIPAL
And i need to do all differents delegations backends on this user "isva", right?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Fri March 05, 2021 07:53 AM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Alexandre,

Creating a single principal for ISAM (in a single keytab) and using as the "master" for all of the delegations to different backends should work fine.

So, hoping your answer above means you have it working.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 01:50 PM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

I have more than one backend servers that need to use Kerberos SSO, all of them behind different IIS servers.
I created a user called isva in my Active Directory, i executed ktpass and i delegated the all servers for this user.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Thu March 04, 2021 01:26 PM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Hi Alexandre,

What you're trying to do is not supported.  You can only specify a single .keytab file and kerberos-principal-name for Kerberos SSO authentication to junctioned servers.  This means that the same kerberos principal must be used for generation of delegated tickets across all junctions.

The kerberos-service-name can be specified per junction.  This means that each back end service that you delegate to can have a different SPN.

What is your use case? Why do you need to specify so many principals?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 10:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi all,

I have a doubt about multiple kerberos entrys in webseal conf.
Can i do that?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Hi Jon,

I did all this configuration that you mentioned.

When i set a kerberos-service-name for each junction where we user Kerberos SSO and i need restart, the reverse proxy dont up again.
The log files appears this errors:
682 -- IBM Security Verify Access WebSEAL Version 10.0.1.0 (Build 20201125_1048) -- Copyright (C) IBM Corporation 1994-2020. All Rights Reserved.
683 2021-03-11-19:47:10.354-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-header-table-size).
684 2021-03-11-19:47:10.355-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-initial-window-size).
685 2021-03-11-19:47:10.355-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-max-frame-size).
686 2021-03-11-19:47:10.356-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-max-header-list-size).

However, these entrys exist in webseal conf with the default values.

Sorry, but i am thinking it all lot of weird.

Regards,


------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Original Message:
Sent: Thu March 11, 2021 12:23 PM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Hi Alexandre,

I'm not sure what else I can say.  Let me try.

To start:
- You have a set of HTTP services and for each one you have an SPN (probably HTTP/serverx.domain.com@DOMAIN.COM)
- You have a user in AD to represent ISVA (user is "isamkrb")

1. You run the ktpass command to set an SPN for this user and generate a keytab:

ktpass -out isamkrb.keytab -princ HTTP/isam.domain.com@DOMAIN.COM -mapuser isamkrb@DOMAIN.COM -mapOp set -pass some_long_password -pType KRB5_NT_PRINCIPAL

You can check SPN with "setspn -UL isamkrb" and "setspn -Q HTTP/isam.domain.com@DOMAIN.COM"

2. Use AD tools to enable delegation for the isamkrb user - so it can delegate to the SPNs for the target services.
You must set "Trust this user for delegation to specified services only" and "Use any authentication protocol"

3. You set your ISAM system is configured to use AD DNS.

4. You configure Kerberos in ISAM system
 Create realm = DOMAIN.COM
    Set property kdc = domain_controller.domain.com

  Set Default: default_realm = DOMAIN.COM
  You should be able to test setup by testing with isamkrb and its password.

5.   Import isamkrb.keytab keytab file
       You should be able to test by authenticating with the keytab and principal name HTTP/isam.domain.com

6. In Reverse Proxy, configure common Kerberos SSO config:

kerberos-sso-enable = true
kerberos-keytab-file = isamkrb.keytab
kerberos-principal-name = HTTP/isam.domain.com@DOMAIN.COM

6. For each junction where you will use Kerberos SSO add this junction-specific configuration:

[junction:/my_serverx_junction]
kerberos-service-name = HTTP/serverx.domain.com@DOMAIN.COM

That should do it.  I hope it helps you get this working.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 11, 2021 10:04 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

As i mentioned in my last note, i opened a support case.
Could you help me there?
I'm stucked on this configuration.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Mon March 08, 2021 10:10 AM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

That's right !

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Fri March 05, 2021 08:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

How do i do that?
Executing ktpass with these parameters? such as ktpass -out C:\isva.keytab -princ HTTP/isva@AD_DOMAIN.COM
-mapUser AD_DOMAIN\isva -mapOp set -pass XXX -pType KRB5_NT_PRINCIPAL
And i need to do all differents delegations backends on this user "isva", right?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Fri March 05, 2021 07:53 AM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Alexandre,

Creating a single principal for ISAM (in a single keytab) and using as the "master" for all of the delegations to different backends should work fine.

So, hoping your answer above means you have it working.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 01:50 PM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

I have more than one backend servers that need to use Kerberos SSO, all of them behind different IIS servers.
I created a user called isva in my Active Directory, i executed ktpass and i delegated the all servers for this user.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Thu March 04, 2021 01:26 PM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Hi Alexandre,

What you're trying to do is not supported.  You can only specify a single .keytab file and kerberos-principal-name for Kerberos SSO authentication to junctioned servers.  This means that the same kerberos principal must be used for generation of delegated tickets across all junctions.

The kerberos-service-name can be specified per junction.  This means that each back end service that you delegate to can have a different SPN.

What is your use case? Why do you need to specify so many principals?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 10:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi all,

I have a doubt about multiple kerberos entrys in webseal conf.
Can i do that?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

I suspect you have added the [junction:/my_junction] configuration in the middle of the original [junction] stanza.  Make sure that this configuration is outside any other configuration stanza.

If you have:

[junction]
xxx
yyy

and then you add

[junction]
xxx

[junction:/my_junction]
zzz

yyy

You have removed yyy from the original stanza.  I hope this makes sense.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu March 11, 2021 06:06 PM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

I did all this configuration that you mentioned.

When i set a kerberos-service-name for each junction where we user Kerberos SSO and i need restart, the reverse proxy dont up again.
The log files appears this errors:
682 -- IBM Security Verify Access WebSEAL Version 10.0.1.0 (Build 20201125_1048) -- Copyright (C) IBM Corporation 1994-2020. All Rights Reserved.
683 2021-03-11-19:47:10.354-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-header-table-size).
684 2021-03-11-19:47:10.355-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-initial-window-size).
685 2021-03-11-19:47:10.355-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-max-frame-size).
686 2021-03-11-19:47:10.356-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-max-header-list-size).

However, these entrys exist in webseal conf with the default values.

Sorry, but i am thinking it all lot of weird.

Regards,


------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Thu March 11, 2021 12:23 PM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Hi Alexandre,

I'm not sure what else I can say.  Let me try.

To start:
- You have a set of HTTP services and for each one you have an SPN (probably HTTP/serverx.domain.com@DOMAIN.COM)
- You have a user in AD to represent ISVA (user is "isamkrb")

1. You run the ktpass command to set an SPN for this user and generate a keytab:

ktpass -out isamkrb.keytab -princ HTTP/isam.domain.com@DOMAIN.COM -mapuser isamkrb@DOMAIN.COM -mapOp set -pass some_long_password -pType KRB5_NT_PRINCIPAL

You can check SPN with "setspn -UL isamkrb" and "setspn -Q HTTP/isam.domain.com@DOMAIN.COM"

2. Use AD tools to enable delegation for the isamkrb user - so it can delegate to the SPNs for the target services.
You must set "Trust this user for delegation to specified services only" and "Use any authentication protocol"

3. You set your ISAM system is configured to use AD DNS.

4. You configure Kerberos in ISAM system
 Create realm = DOMAIN.COM
    Set property kdc = domain_controller.domain.com

  Set Default: default_realm = DOMAIN.COM
  You should be able to test setup by testing with isamkrb and its password.

5.   Import isamkrb.keytab keytab file
       You should be able to test by authenticating with the keytab and principal name HTTP/isam.domain.com

6. In Reverse Proxy, configure common Kerberos SSO config:

kerberos-sso-enable = true
kerberos-keytab-file = isamkrb.keytab
kerberos-principal-name = HTTP/isam.domain.com@DOMAIN.COM

6. For each junction where you will use Kerberos SSO add this junction-specific configuration:

[junction:/my_serverx_junction]
kerberos-service-name = HTTP/serverx.domain.com@DOMAIN.COM

That should do it.  I hope it helps you get this working.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 11, 2021 10:04 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

As i mentioned in my last note, i opened a support case.
Could you help me there?
I'm stucked on this configuration.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Mon March 08, 2021 10:10 AM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

That's right !

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Fri March 05, 2021 08:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

How do i do that?
Executing ktpass with these parameters? such as ktpass -out C:\isva.keytab -princ HTTP/isva@AD_DOMAIN.COM
-mapUser AD_DOMAIN\isva -mapOp set -pass XXX -pType KRB5_NT_PRINCIPAL
And i need to do all differents delegations backends on this user "isva", right?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Fri March 05, 2021 07:53 AM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Alexandre,

Creating a single principal for ISAM (in a single keytab) and using as the "master" for all of the delegations to different backends should work fine.

So, hoping your answer above means you have it working.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 01:50 PM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

I have more than one backend servers that need to use Kerberos SSO, all of them behind different IIS servers.
I created a user called isva in my Active Directory, i executed ktpass and i delegated the all servers for this user.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Thu March 04, 2021 01:26 PM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Hi Alexandre,

What you're trying to do is not supported.  You can only specify a single .keytab file and kerberos-principal-name for Kerberos SSO authentication to junctioned servers.  This means that the same kerberos principal must be used for generation of delegated tickets across all junctions.

The kerberos-service-name can be specified per junction.  This means that each back end service that you delegate to can have a different SPN.

What is your use case? Why do you need to specify so many principals?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 10:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi all,

I have a doubt about multiple kerberos entrys in webseal conf.
Can i do that?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Hi Jon,

It makes total sense!

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal
------------------------------

Original Message:
Sent: Fri March 12, 2021 09:20 AM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

I suspect you have added the [junction:/my_junction] configuration in the middle of the original [junction] stanza.  Make sure that this configuration is outside any other configuration stanza.

If you have:

[junction]
xxx
yyy

and then you add

[junction]
xxx

[junction:/my_junction]
zzz

yyy

You have removed yyy from the original stanza.  I hope this makes sense.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 11, 2021 06:06 PM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

I did all this configuration that you mentioned.

When i set a kerberos-service-name for each junction where we user Kerberos SSO and i need restart, the reverse proxy dont up again.
The log files appears this errors:
682 -- IBM Security Verify Access WebSEAL Version 10.0.1.0 (Build 20201125_1048) -- Copyright (C) IBM Corporation 1994-2020. All Rights Reserved.
683 2021-03-11-19:47:10.354-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-header-table-size).
684 2021-03-11-19:47:10.355-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-initial-window-size).
685 2021-03-11-19:47:10.355-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-max-frame-size).
686 2021-03-11-19:47:10.356-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-max-header-list-size).

However, these entrys exist in webseal conf with the default values.

Sorry, but i am thinking it all lot of weird.

Regards,


------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Thu March 11, 2021 12:23 PM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Hi Alexandre,

I'm not sure what else I can say.  Let me try.

To start:
- You have a set of HTTP services and for each one you have an SPN (probably HTTP/serverx.domain.com@DOMAIN.COM)
- You have a user in AD to represent ISVA (user is "isamkrb")

1. You run the ktpass command to set an SPN for this user and generate a keytab:

ktpass -out isamkrb.keytab -princ HTTP/isam.domain.com@DOMAIN.COM -mapuser isamkrb@DOMAIN.COM -mapOp set -pass some_long_password -pType KRB5_NT_PRINCIPAL

You can check SPN with "setspn -UL isamkrb" and "setspn -Q HTTP/isam.domain.com@DOMAIN.COM"

2. Use AD tools to enable delegation for the isamkrb user - so it can delegate to the SPNs for the target services.
You must set "Trust this user for delegation to specified services only" and "Use any authentication protocol"

3. You set your ISAM system is configured to use AD DNS.

4. You configure Kerberos in ISAM system
 Create realm = DOMAIN.COM
    Set property kdc = domain_controller.domain.com

  Set Default: default_realm = DOMAIN.COM
  You should be able to test setup by testing with isamkrb and its password.

5.   Import isamkrb.keytab keytab file
       You should be able to test by authenticating with the keytab and principal name HTTP/isam.domain.com

6. In Reverse Proxy, configure common Kerberos SSO config:

kerberos-sso-enable = true
kerberos-keytab-file = isamkrb.keytab
kerberos-principal-name = HTTP/isam.domain.com@DOMAIN.COM

6. For each junction where you will use Kerberos SSO add this junction-specific configuration:

[junction:/my_serverx_junction]
kerberos-service-name = HTTP/serverx.domain.com@DOMAIN.COM

That should do it.  I hope it helps you get this working.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 11, 2021 10:04 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

As i mentioned in my last note, i opened a support case.
Could you help me there?
I'm stucked on this configuration.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Mon March 08, 2021 10:10 AM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

That's right !

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Fri March 05, 2021 08:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

How do i do that?
Executing ktpass with these parameters? such as ktpass -out C:\isva.keytab -princ HTTP/isva@AD_DOMAIN.COM
-mapUser AD_DOMAIN\isva -mapOp set -pass XXX -pType KRB5_NT_PRINCIPAL
And i need to do all differents delegations backends on this user "isva", right?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Fri March 05, 2021 07:53 AM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Alexandre,

Creating a single principal for ISAM (in a single keytab) and using as the "master" for all of the delegations to different backends should work fine.

So, hoping your answer above means you have it working.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 01:50 PM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

I have more than one backend servers that need to use Kerberos SSO, all of them behind different IIS servers.
I created a user called isva in my Active Directory, i executed ktpass and i delegated the all servers for this user.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Thu March 04, 2021 01:26 PM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Hi Alexandre,

What you're trying to do is not supported.  You can only specify a single .keytab file and kerberos-principal-name for Kerberos SSO authentication to junctioned servers.  This means that the same kerberos principal must be used for generation of delegated tickets across all junctions.

The kerberos-service-name can be specified per junction.  This means that each back end service that you delegate to can have a different SPN.

What is your use case? Why do you need to specify so many principals?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 10:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi all,

I have a doubt about multiple kerberos entrys in webseal conf.
Can i do that?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Hi Jon,

Also, i did the another way that described in Knowledge Center (https://www.ibm.com/support/knowledgecenter/pt-br/SSPREK_10.0.0/com.ibm.isva.doc/wrp_config/task/tsk_create_webseal_user_in_ad.htm).
These documentation informs that must create one more user in Active Directory, to use as target service and input as kerberos-service-name in webseal conf.
However, in that way doesnt work too.

Sorry, but it's all so contradictory.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Original Message:
Sent: Fri March 05, 2021 07:53 AM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Alexandre,

Creating a single principal for ISAM (in a single keytab) and using as the "master" for all of the delegations to different backends should work fine.

So, hoping your answer above means you have it working.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 01:50 PM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

I have more than one backend servers that need to use Kerberos SSO, all of them behind different IIS servers.
I created a user called isva in my Active Directory, i executed ktpass and i delegated the all servers for this user.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Thu March 04, 2021 01:26 PM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Hi Alexandre,

What you're trying to do is not supported.  You can only specify a single .keytab file and kerberos-principal-name for Kerberos SSO authentication to junctioned servers.  This means that the same kerberos principal must be used for generation of delegated tickets across all junctions.

The kerberos-service-name can be specified per junction.  This means that each back end service that you delegate to can have a different SPN.

What is your use case? Why do you need to specify so many principals?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 10:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi all,

I have a doubt about multiple kerberos entrys in webseal conf.
Can i do that?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Alexandre,

Setting up the "target service user" is only required if your target services don't already have SPN defined.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Fri March 05, 2021 08:55 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

Also, i did the another way that described in Knowledge Center (https://www.ibm.com/support/knowledgecenter/pt-br/SSPREK_10.0.0/com.ibm.isva.doc/wrp_config/task/tsk_create_webseal_user_in_ad.htm).
These documentation informs that must create one more user in Active Directory, to use as target service and input as kerberos-service-name in webseal conf.
However, in that way doesnt work too.

Sorry, but it's all so contradictory.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Fri March 05, 2021 07:53 AM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Alexandre,

Creating a single principal for ISAM (in a single keytab) and using as the "master" for all of the delegations to different backends should work fine.

So, hoping your answer above means you have it working.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 01:50 PM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi Jon,

I have more than one backend servers that need to use Kerberos SSO, all of them behind different IIS servers.
I created a user called isva in my Active Directory, i executed ktpass and i delegated the all servers for this user.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br

Original Message:
Sent: Thu March 04, 2021 01:26 PM
From: Jon Harry
Subject: Doubt with multiple entrys Kerberos

Hi Alexandre,

What you're trying to do is not supported.  You can only specify a single .keytab file and kerberos-principal-name for Kerberos SSO authentication to junctioned servers.  This means that the same kerberos principal must be used for generation of delegated tickets across all junctions.

The kerberos-service-name can be specified per junction.  This means that each back end service that you delegate to can have a different SPN.

What is your use case? Why do you need to specify so many principals?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 04, 2021 10:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi all,

I have a doubt about multiple kerberos entrys in webseal conf.
Can i do that?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Hi Alexandre,

You can not configure multiple keytabs (as mentioned by Jon), but you can merge them together into a single keytab and use that one. In ISAM/ISVA LMI it is called combine and you create a new file you can then use in your WebSEAL instance configuration.

Have you considered this?
Follow the steps given by Jon for each domain you want the kerberos authentication to happen. Import the keytabs in ISAM , And Combine them. You can test from that menu as well. 

Hope this helps

Kind regards,

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam
------------------------------

Original Message:
Sent: Thu March 04, 2021 10:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi all,

I have a doubt about multiple kerberos entrys in webseal conf.
Can i do that?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

This problem is solved!

-------------------------------------

Hi Peter / Jon,

Yes, i got it. I can use just one keytab.
But my problem is about when i configure a kerberos-service-name for each junction (as mentioned by Jon), the reverse proxy doesnt stay online.
The errors bellow appears to me in msg log:
683 2021-03-11-19:47:10.354-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-header-table-size).
684 2021-03-11-19:47:10.355-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-initial-window-size).
685 2021-03-11-19:47:10.355-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-max-frame-size).
686 2021-03-11-19:47:10.356-03:00I----- 0x1354A09C webseald ERROR ivc general cfgfile.cpp 120 0x7fe5de4da840 -- HPDCO0156E Configuration item missing (junction, http2-max-header-list-size).

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------

Original Message:
Sent: Fri March 12, 2021 02:03 AM
From: Peter Gierveld
Subject: Doubt with multiple entrys Kerberos

Hi Alexandre,

You can not configure multiple keytabs (as mentioned by Jon), but you can merge them together into a single keytab and use that one. In ISAM/ISVA LMI it is called combine and you create a new file you can then use in your WebSEAL instance configuration.

Have you considered this?
Follow the steps given by Jon for each domain you want the kerberos authentication to happen. Import the keytabs in ISAM , And Combine them. You can test from that menu as well. 

Hope this helps

Kind regards,

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam

Original Message:
Sent: Thu March 04, 2021 10:48 AM
From: Alexandre Gammaro
Subject: Doubt with multiple entrys Kerberos

Hi all,

I have a doubt about multiple kerberos entrys in webseal conf.
Can i do that?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal - agammaro@triscal.com.br
------------------------------