APM - How to create a keytab file with multiple SPNs

There are actually two ways (that I know of) to aggregate multiple keys into a single keytab:

1. The first is with ktutil (you’ll need to copy the keytabs to a Linux box, merge, then copy back).

2. The second way, which I think is much easier, uses the “-in” option of the ktpass utility. Follow this link for additional information (under the section "Appending Additional Keytabs to Create the Final Master Keytab File"

   http://fusionsecurity.blogspot.com/2013/02/part-2-how-to-configure-oam11g-wna-for.html

    ktpass -princ HTTP/oam.server.com@FOREST2.PIXIE.COM /
   -mapuser oamkrb5 /
   -pass Oracle123 /
   -ptype KRB5_NT_PRINCIPAL /
   -crypto ALL /
   -in forest1.krb5.keytab /
   -out forest2.krb5.keytab
   
   ** where "-in forest1.krb5.keytab" is the keytab file that contains existing keytabs
   

I can't speak for win2003, but this method definitely works in Win2008R2.

Now, you can add the additional SPNs on the Domain Controllers using the MS tool "setspn" with the "-A" switch no problem against the same service account.

This would probably work if you were using a domain account with IIS. If www1 and www2 are separate hosts on the same domain and you added www as an SPN to each, then you'd have a duplicate SPN in the directory. Also, if www1 and www2 are behind separate VIPs, presumably because you're doing GSLB, you could also probably just create separate keytab files.

Thanks for your answer Kevin, it has prompted me to clarify the multiple SPN issue I have.

 

We are using Win2008R2.

 

I'm using APM (11.3.0 HF6) in APM+LTM mode and only performing the Authentication on APM, not passing any credentials onto the Webservers which are not IIS.

 

No GSLB exists but instead a manual DR process is required where in the event of "Site A" failing which carries the VIP "10.10.10.1" (resolving to "www1") the CNAME record for "www" will be changed to point to "www2" (the "Site B" VIP "10.10.20.1").

 

Are you saying that I should just use one keytab file on "Site A" with SPN of "HTTP/www1" and a different keytab file on "Site B" with SPN of "HTTP/www2" and ignoring the SPN of "HTTP/www" completely?

 

In the meantime I'll read the article on the link above to see how to create the keytab file that contains existing keytabs which they refer to above (as this is the problem I have).

 

Thanks.

 

Are you saying that I should just use one keytab file on "Site A" with SPN of "HTTP/www1" and a different keytab file on "Site B" with SPN of "HTTP/www2" and ignoring the SPN of "HTTP/www" completely?

 

That depends if the initial problem also exists in other browsers. Does Firefox also use the A name? I don't remember if it does. If it's universal, and a browser will always use the A name, then you probably don't need to worry about a keytab for the CNAME.

 

The "-in" option in ktpass just allows you to add information from other keytabs. So if you have an existing keytab file (ie. for "www"), then you'd create a new keytab (ie. for "www1") and include the other keytab with the -in option to aggregate the two keys. Repeat this process for as many keytabs as you need.

 

Thanks Kevin for all your great pointers.

Just an update on this topic.

1. I did use a single keytab file as I feel this is easier to administer. Also if you were to setup the APM policy to sync across the two DCs this would be a requirement.
2. Chrome doesn't build the ticket request using the A record value but the CNAME record value so all the possible keys need to be in the keytab file. (Didn't test Firefox).
3. Although it is possible to use "setspn" to register all the SPNs to a single AD service account this doesn't work because the APM will try to validate the ticket request by using whichever SPN it receives in the request against AD and fail when AD responds with account not found. AD looks for the SPN as the account name and not the pre-windows 2000 name (the service account name). You need to therefore create 3 distinct service accounts in AD, one for each SPN, with a unique pre-windows 2000 name and then map the correct account to the SPN while creating your keytab files with the "ktpass" tool.

Like this:

AD Accounts:

HTTP/www.domain.com, Pre-W2K_scv_acc_www, enable 256bit Kerberos Auth HTTP/www1.domain.com, Pre-W2K_scv_acc_www1, enable 256bit Kerberos Auth HTTP/www2.domain.com, Pre-W2K_scv_acc_www2, enable 256bit Kerberos Auth

ktpass usage:

ktpass -princ HTTP/www.domain.com@DOMAIN.COM -mapuser Pre-W2K_scv_acc_www -pass * -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out c:/keytab_dir/www.keytab

ktpass -princ HTTP/www1.domain.com@DOMAIN.COM -mapuser Pre-W2K_scv_acc_www1 -pass * -in c:/keytab_dir/www.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out c:/keytab_dir/www_and_www1.keytab

ktpass -princ HTTP/www2.domain.com@DOMAIN.COM -mapuser Pre-W2K_scv_acc_www2 -pass * -in c:/keytab_dir/www_and_www1.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out c:/keytab_dir/www_and_www1_and_www2.keytab

Finally, make sure that IE has "www.domain.com" defined as a "intranet site" on the security page or IE will not send your credentials in response to the 401 response from APM. (see setting up Kerberos Authentication)

I also found that it was necessary to extract the user's name from the APM "session.logon.last.username" variable as it came with a double domain name on it, I used a variable assign component to do this in my VPE:

session.logon.last.username = return [lindex [split [mcget {session.logon.last.username} "@"] 0]

Regards.