IBM Security Verify

 View Only
  • 1.  Kerberos Solution

    Posted Wed February 12, 2020 01:05 PM
    Hi All,
    I am looking to integrate kerberos solution to Sharepoint 2016 server applications. I have created a webseal AD user with Hostname of the webseal as HTTP/isamwebseal.domain.com with user isamwebseal. Now i want to integrate https://abc.com_ website with ISAM. But application team has already generted SPN for this website and its used for their internal purpose.

    Now how do i proceed with the solution, can i generate a new keytab file with the same SPN with our ISAM user or i can use the keytab which was generated for the website internally.Please advise.

    ------------------------------
    Vasanthakumar Chandrasekaran
    ------------------------------


  • 2.  RE: Kerberos Solution

    Posted Fri February 14, 2020 02:16 PM
    Hi,

    The keytab is just a means of encyrpting/decrypting the kerberos information, I dont believe it needs you to have a special SPN just for ISAM. If your backend application already has an SPN, just use that when generating the keytab, or create a second SPN if you want for that same application/ID as i believe that is also valid (the SPN binds to a service account in AD).

    The only thing that matters is that the ID running your application delegates to the webseal ID/SPN, and then your webseal conf file uses that ID/SPN as its identifier, and your sending the application SPN when you get a 401 (this is where the keytab comes in to generate your ticket).

    The example article is a bit confusing at first, but once you get it its like an AHA moment and its super easy then.

    ------------------------------
    Jeff Garcia
    ------------------------------



  • 3.  RE: Kerberos Solution

    Posted Mon February 17, 2020 01:49 AM
    Thanks Jeff, I have created a keytab file for ISAM AD user and it delegates to the couple of sharepoint applications. I used ktpass command to add the existing SPN in to a keytab and combined our ISAM AD user exiting keytab with the newly generated keytab for applications. I have enabled kerberos and pointing to the newly combined keytab(ISAM AD user & Sharepoint application SPN). Now when i enable kerberos in authentication tab and added 2 names as HTTP@isamurl.domain, HTTP@sharepointapplication.domain.  I am getting following error,
    1374      HPDST0130E   The security service function gss_accept_sec_context returned the error 'Unspecified GSS failure.  Minor code may provide more information' (code 0x000d0000/851968).
    1375      2020-02-16-18:08:14.470+03:00I----- 0x30923082 webseald ERROR bst general amstli.c 2764 0x7fa43e79f700
    1376      HPDST0130E   The security service function gss_accept_sec_context returned the error 'Request ticket server HTTP/sharepointapplication@AD.DOMAIN found in keytab but does not match server principal HTTP/isamurl.domain@' (code 0x96c73a23/-1765328349).
    1377      2020-02-16-18:08:14.470+03:00I----- 0x13212064 webseald ERROR ias general ivpam.c 620 0x7fa43e79f700
    1378      HPDIA0100E   An internal error has occurred.

    ------------------------------
    Vasanthakumar Chandrasekaran
    ------------------------------



  • 4.  RE: Kerberos Solution

    Posted Sat November 18, 2023 06:58 AM

    Hello,

    Kerberos solution is a network authentication protocol providing secure, single sign-on access to systems. Employing a trusted third party, it uses encryption and timestamps to verify the identities of users and services, enhancing security in distributed computing environments.

    Thanks 



    ------------------------------
    Usman Mushtaq
    ------------------------------