LiveZilla Live Help

You are here

HTTP Keytab Generation Through MSKUTIL For SSO

Introduction

 

Msktutil is a key tab client for a Microsoft Active Directory environment.  This program is capable of creating an account for this computer in Active Directory, adding service principals to that account, and creating a local key tab file so that kerberizied services can utilize Active directory as a Kerberos realm.This utility requires that the Kerberos client libraries are properly installed and configured to use Active Directory as a realm.
Whenever a principal is added or the key tab is updated, the secret password for the computer's machine account is reset. This password is not stored, so it needs to be reset each time msktutil is executed. All entries in the key tab will be automatically updated whenever the machine password is reset.The previous entries will be left in the key tab, so sessions using the older key versions will not break.This behavior is similar to the way Windows hosts handle machine password changes.



Getting Started - The Preparatory Steps

To keep the discussion easy to understand and replicate, we will use an example, and set out the process in ordered sequence of steps. We will also include steps for validating to ensure if any of the steps may not have been correctly taken.

In our example we have a Microsoft Windows AD setup as follows:

  • FQDN of Microsoft AD Domain: safesquid.local
  • FQDN of Domain controller: adserver.safesquid.local
  • IP address of our Domain Controller: 192.168.249.110

We will use additionally use a Windows Desktop, just for the purpose of validating our efforts.

  • FQDN of our Windows Test Desktop: windows.safesquid.local
  • IP address of our Windows Test Desktop: 192.168.249.102

We are using a Linux based host for deploying our Kerberos based SafeSquid

  • FQDN of our Linux host: ubuntuserver.safesquid.local
  • IP address of our Linux host: 192.168.17.5
  • Kerberos Computer Name :UBUNTUSERVER-K

Test Network Connectivity

Validate our IP addresses are correct and the systems are reachable on the network.

On EACH of the 3 above computers do the following

  1. Ping the Domain Controller IP address
  2. Ping the Windows Test Desktop IP address
  3. Ping the Linux host IP address

Validate that IP of all our systems are resolvable by our DNS provider


In a Microsoft AD based network, it is highly recommended to use the DNS provider that usually defaults to the Domain Controller itself.
On the Windows Systems these are specified in the TCP/IP configuration
On the Linux host view and modify /etc/resolv.conf
Confirm that it reads as follows:

# search <name of our domain>

search safesquid.local

# nameserver <DNS server specified in our AD, usually domain controller in AD>

nameserver 192.168.249.110

Validate that all our systems are using the same DNS provider

Add the Linux host ubuntuserver as a New Host in the DNS server's configuration such that it's

FQDN automatically defaults to ubuntuserver.safesquid.local

Now on each of 3 systems use nslookup as follows to confirm that DNS is effectively serving our requirements.

nslookup ubuntuserver.safesquid.local

nslookup windows.safesquid.local

nslookup adserver.safesquid.local


Configuration on Linux machine

root@ubuntuserver:~#vim /etc/network/interfaces

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

# The loopback network interface

auto lo

iface lo inet loopback

# The primary network interface

auto eth0

iface eth0 inet static

        address 192.168.17.5

        netmask 255.255.0.0

        network 192.168.0.0

        broadcast 192.168.255.255

        gateway 192.168.0.231

#  dns-* options are implemented by the resolvconf package, if installed

#  dns-nameservers 8.8.8.8

dns-nameservers 192.168.249.110 //-------> AD server IP

dns-search safesquid.local

root@ubuntuserver:~#vim /etc/hosts


127.0.0.1        localhost
192.168.17.5   ubuntuserver.safesquid.local  ubuntuserver
192.168.249.110   adserver.safesquid.local   adserver  //AD  server  FQDN
# The following lines are desirable for IPv6 capable hosts
::1    

ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

root@ubuntuserver:~#  /etc/init.d/networking/restart

NTP Configuration

The Default AD group policy requires all  Domaincomputer to use the time set on the Domain Controller as the reference for time. This alsoeffectively means that the Domain Controller must be used as the reference NTP server.

root@ubuntuserver:~# apt-get install ntp

root@ubuntuserver:~# vim /etc/ntp.conf

# You do need to talk to an NTP server or two (or three).

#server ntp.your-provider.example

server adserver.safesquid.local

Then restart the NTP server

root@ubuntuserver:~# service ntp restart

root@ubuntuserver:~# ntpq -p


Activities to be performed the Linux Host for using the Kerberos Keytabs

The required package can be installed by following command:-

root@ubuntuserver:~# apt-get install krb5-user libkrb53

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

                default_realm = SAFESQUID.LOCAL

                dns_lookup_realm = false

                dns_lookup_kdc = false

                ticket_lifetime = 720h

                renew_lifetime = 90d

                forwardable = true

                default_keytab_name =/opt/safesquid/bin/security/HTTP.keytab

; for Windows 2003

default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

; for Windows 2008 with AES

default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]

    SAFESQUID.LOCAL = {

kdc = adserver.safesquid.local:88

admin_server = adserver.safesquid.local:749

default_domain = safesquid.local

    }

[domain_realm]

    .safesquid.local = SAFESQUID.LOCAL

    safesquid.local = SAFESQUID.LOCAL


Installation Steps of MSKTUTIL

Pre-requisites dependencies for MSKTUTIL

root@ubuntuserver:~# apt-get install libsasl2-modules-gssapi-mit libsasl2-modules

root@ubuntuserver:~# apt-get install ldap-utils

root@ubuntuserver:~#  cd /var/cache/apt/archives/

root@ubuntuserver:/var/cache/apt/archives#  wget https://fuhm.net/software/msktutil/releases/msktutil_0.4-2_amd64.deb

root@ubuntuserver:/var/cache/apt/archives# dpkg -i msktutil_0.4-2_amd64.deb

Initiate  kerberos session with administrator permissions to add objects to AD. Update username to create kerberos computer object in Active Directory.

root@ubuntuserver:~# kinit  administrator

This will prompt for Administrator password of Windows Active Directory.
You can verify whether the ticket has been created or not by following command :

root@ubuntuserver:~# klist

Now we configure the proxy's kerberos computer account and service principle by running msktutil (remember to update the values with yours).
Important: There are two important limitations with msktutil

  1. computer-name cannot be longer than 15 characters due to netbios name limitations.
  2. computer-name must be different from the proxy's hostname so computer account password updates for NTLM and Kerberos do not conflict.

Execution of MSKTUTIL command

Note: Before going to execute msktutil command we need to check if user with the hostname of SafeSquid server (Here it is 'ubuntuserver ') is already existing or not on the AD server.

Case 1 : If exists then we need change the hostname of the machine and add that machine to that AD DNS domain and then run the following command with new  hostname and computer-name.
Case 2 : If you ready to delete existing user then  we need not to change the hostname of your SafeSquid server, delete that user and run the following command.

root@ubuntuserver:~#  msktutil -c -b "CN=COMPUTERS" -s HTTP/ubuntuserver.safesquid.local -k /opt/safesquid/bin/security/HTTP.keytab --computer-name UBUNTUSERVER-K --upn HTTP/ubuntuserver.safesquid.local --server adserver.safesquid.local --verbose

Note: If you are using a Server 2008 domain then add --enctypes 28 at the end of the command.
Now you can see your HTTP.keytab in your specified path.

We have used path as: /opt/safesquid/bin/security/&Computer name:UBUNTUSERVER-K


Setting up SafeSquid service to use the Initialized Kerberos keytab

Configuring SafeSquid Startup parameters

SafeSquid's executable binary uses command-line parameter –K<kerberos_service_principal_name>
This can be set as SafeSquid’s startup parameter by setting KRB_SERVICE_PRINC to
HTTP/ubuntuserver.safesquid.local@SAFESQUID.LOCALin /opt/safesquid/safesquid/init.d/startup.conf

root@ubuntuserver:~# vim /opt/safesquid/safesquid/init.d/startup.conf KRB_SERVICE_PRINCIPAL=HTTP/ubuntuserver.safesquid.local@SAFESQUID.LOCAL

Change access rights of two files:

chmod 440 /opt/safesquid/bin/security/HTTP.keytab

chown ssquid:root /opt/safesquid/bin/security/HTTP.keytab

 

A Kerberos-aware application by default uses /etc/krb5.keytab, however for security reasons we had created a different keytab as /opt/safesquid/bin/security/HTTP.keytab.The changed location can be notified to an application by modifying the environment parameter KRB5_KTNAME. Typically under bash you could do this by invoking:


export KRB5_KTNAME=/opt/safesquid/bin/security/HTTP.keytab


SafeSquid's init script /etc/init.d/safesquid when invoked to start the safesquid service, automatically exports KRB5_KTNAME to /opt/safesquid/bin/security/HTTP.keytab to the environment under which the actual executable binary is executed. However if you have to invoke safesquid manually by executing the safesquid executable on the command prompt, remember to do so in the console, in which you are operating, you must invoke the above export command manually. And remember any other kerberos related activities that you undertake on this console will use HTTP.keytab and NOT /etc/krb5.keytab

Now you can restart the safesquid proxy service with the usual command:

/etc/init.d/safesquid start  

and on the console leave this tail command running

tail -f /opt/safesquid/safesquid/logs/extended/extended.log  

Testing Kerberos SSO authentication setup Configure Authentication in SafeSquid’s Access Restrictions:-

SafeSquid’s policy configurations are managed by its WebGUI. We can access the WebGUI from any system authorized, as per its Access Restrictions configuration section (by default ALL are allowed). To ensure that we do not get locked out, we will in the following steps configure the Access Restrictions section of SafeSquid to enable the SSO authentication, and then to enable authentication for only our Test Client windows.angesh.local 

  • Configure your Internet browser proxy settings to use ubuntuserver.angesh.local: <port_usually_8080> as your proxy server.



Note you should NOT be using the <IP address>:<port> format now. Go to http://safesquid.cfg/config select Access Restrictions in the drop down menu.

  • In the Global sub-section, set NTLM Authentication to true.

  • Add a new entry:
  1. In the IP address put 192.168.249.102 (IP address of windows.angesh.local, remember we had designated that system to be our first test client in very initial preparatory steps).
  2. Enable PAM Authentication.
  3. Click submit
     

  • From the windows.angesh.local system. Configure the Internet browser to use windows.angesh.local:<port_usually_8080> as proxy server.
  • In Internet Explorer ==> tools ==> Internet options ==> Advanced make sure that the option for "Use Windows Integrated Authentication" has been selected.

  • Access the internet, confirm that you can access the web the way should be.
  • Take a look at the output of the tail command that you had earlier left running on the Linux console.
  • You should be able to see request from the user that had logged into the windows.angesh.local system and the user should be getting identified as<username>@<ANGESH.LOCAL>@192.168.249.102 If you can confirm that, then setup has been completed successfully. To enable Windows Integrated authentication for the rest of your enterprise, modify the entry you created in the Access Restrictions for IP 192.168.249.102 and simply leave the IP address field blank.

Recheck

To validate the successful execution of msktutil do:

On the Windows Server reset the Computer Account in AD by right clicking on the UBUNTUSERVER-K Computer object and select "Reset Account", then run msktutil as follows to ensure the keytab is updated as expected and that the keytab is being sourced by msktutil from /etc/krb5.conf correctly. This is not completely necessary but is useful to ensure msktutil works as expected.
Then run the following :--->  Destroy the administrator credentials used to create the account.

root@ubuntuserver:~# kdestroy
root@ubuntuserver:~# kinit administrator
root@ubuntuserver:~# msktutil --auto-update --verbose --computer-name ubuntuserver-k

root@ubuntuserver:~# chmod 440 /opt/safesquid/bin/security/HTTP.keytab

root@ubuntuserver:~# chown ssquid:root /opt/safesquid/bin/security/HTTP.keytab

root@ubuntuserver:~# export KRB5_KTNAME=/opt/safesquid/bin/security/HTTP.keytab  

Add the following to cron so it can automatically updates the computer account in active directory when it expires (typically 30 days). Pipe it through logger so I can see any errors in syslog if necessary. As stated msktutil uses the default /etc/krb5.conf file for its paramaters so be aware of that if you decide to make any changes in it. Restart the crond service.

root@ubuntuserver:~# vim /etc/crontab 00 4 * * * msktutil --auto-update --verbose --computer-name ubuntuserver-k | logger -t msktutil root@ubuntuserver:~# service cron restart