IBM Security Verify

Hi All,
I am looking to integrate kerberos solution to Sharepoint 2016 server applications. I have created a webseal AD user with Hostname of the webseal as HTTP/isamwebseal.domain.com with user isamwebseal. Now i want to integrate https://abc.com_ website with ISAM. But application team has already generted SPN for this website and its used for their internal purpose.

Now how do i proceed with the solution, can i generate a new keytab file with the same SPN with our ISAM user or i can use the keytab which was generated for the website internally.Please advise.

------------------------------
Vasanthakumar Chandrasekaran
------------------------------

Hi,

The keytab is just a means of encyrpting/decrypting the kerberos information, I dont believe it needs you to have a special SPN just for ISAM. If your backend application already has an SPN, just use that when generating the keytab, or create a second SPN if you want for that same application/ID as i believe that is also valid (the SPN binds to a service account in AD).

The only thing that matters is that the ID running your application delegates to the webseal ID/SPN, and then your webseal conf file uses that ID/SPN as its identifier, and your sending the application SPN when you get a 401 (this is where the keytab comes in to generate your ticket).

The example article is a bit confusing at first, but once you get it its like an AHA moment and its super easy then.

------------------------------
Jeff Garcia
------------------------------

Original Message:
Sent: Wed February 12, 2020 01:05 PM
From: Vasanthakumar Chandrasekaran
Subject: Kerberos Solution

Hi All,
I am looking to integrate kerberos solution to Sharepoint 2016 server applications. I have created a webseal AD user with Hostname of the webseal as HTTP/isamwebseal.domain.com with user isamwebseal. Now i want to integrate https://abc.com_ website with ISAM. But application team has already generted SPN for this website and its used for their internal purpose.

Now how do i proceed with the solution, can i generate a new keytab file with the same SPN with our ISAM user or i can use the keytab which was generated for the website internally.Please advise.

------------------------------
Vasanthakumar Chandrasekaran
------------------------------

Thanks Jeff, I have created a keytab file for ISAM AD user and it delegates to the couple of sharepoint applications. I used ktpass command to add the existing SPN in to a keytab and combined our ISAM AD user exiting keytab with the newly generated keytab for applications. I have enabled kerberos and pointing to the newly combined keytab(ISAM AD user & Sharepoint application SPN). Now when i enable kerberos in authentication tab and added 2 names as HTTP@isamurl.domain, HTTP@sharepointapplication.domain.  I am getting following error,
1374      HPDST0130E   The security service function gss_accept_sec_context returned the error 'Unspecified GSS failure.  Minor code may provide more information' (code 0x000d0000/851968).
1375      2020-02-16-18:08:14.470+03:00I----- 0x30923082 webseald ERROR bst general amstli.c 2764 0x7fa43e79f700
1376      HPDST0130E   The security service function gss_accept_sec_context returned the error 'Request ticket server HTTP/sharepointapplication@AD.DOMAIN found in keytab but does not match server principal HTTP/isamurl.domain@' (code 0x96c73a23/-1765328349).
1377      2020-02-16-18:08:14.470+03:00I----- 0x13212064 webseald ERROR ias general ivpam.c 620 0x7fa43e79f700
1378      HPDIA0100E   An internal error has occurred.

------------------------------
Vasanthakumar Chandrasekaran
------------------------------

Original Message:
Sent: Fri February 14, 2020 01:13 PM
From: Jeff Garcia
Subject: Kerberos Solution

Hi,

The keytab is just a means of encyrpting/decrypting the kerberos information, I dont believe it needs you to have a special SPN just for ISAM. If your backend application already has an SPN, just use that when generating the keytab, or create a second SPN if you want for that same application/ID as i believe that is also valid (the SPN binds to a service account in AD).

The only thing that matters is that the ID running your application delegates to the webseal ID/SPN, and then your webseal conf file uses that ID/SPN as its identifier, and your sending the application SPN when you get a 401 (this is where the keytab comes in to generate your ticket).

The example article is a bit confusing at first, but once you get it its like an AHA moment and its super easy then.

------------------------------
Jeff Garcia

Original Message:
Sent: Wed February 12, 2020 01:05 PM
From: Vasanthakumar Chandrasekaran
Subject: Kerberos Solution

Hi All,
I am looking to integrate kerberos solution to Sharepoint 2016 server applications. I have created a webseal AD user with Hostname of the webseal as HTTP/isamwebseal.domain.com with user isamwebseal. Now i want to integrate https://abc.com_ website with ISAM. But application team has already generted SPN for this website and its used for their internal purpose.

Now how do i proceed with the solution, can i generate a new keytab file with the same SPN with our ISAM user or i can use the keytab which was generated for the website internally.Please advise.

------------------------------
Vasanthakumar Chandrasekaran
------------------------------

Hello,

Kerberos solution is a network authentication protocol providing secure, single sign-on access to systems. Employing a trusted third party, it uses encryption and timestamps to verify the identities of users and services, enhancing security in distributed computing environments.

Thanks 

------------------------------
Usman Mushtaq
------------------------------

Original Message:
Sent: Wed February 12, 2020 01:05 PM
From: Vasanthakumar Chandrasekaran
Subject: Kerberos Solution

Hi All,
I am looking to integrate kerberos solution to Sharepoint 2016 server applications. I have created a webseal AD user with Hostname of the webseal as HTTP/isamwebseal.domain.com with user isamwebseal. Now i want to integrate https://abc.com_ website with ISAM. But application team has already generted SPN for this website and its used for their internal purpose.

Now how do i proceed with the solution, can i generate a new keytab file with the same SPN with our ISAM user or i can use the keytab which was generated for the website internally.Please advise.

------------------------------
Vasanthakumar Chandrasekaran
------------------------------