Kerberos test using kinit with no password (cert auth) - kerberos

I did extensive search before posting this Q.
We have a Kerb setup working fine for most users for our internal portal. For a few users we are getting the following error:
"Failed to create delegated GSSAPI token on behalf of
HTTP/ssologon.xxx.xxx.xx.com#XXX.XXX.XX.COM for
service#hostname.xxx.xxx.xx.com: Minor Status=-1765328230, Major
Status=851968, Message=Cannot find KDC for requested realm]"
I can test kerb setup fine from the Server side using Kinit using Keytab file etc.
Issue/Q is how do I test the same from the workstations/client PC which are exhibiting the above error.
I could use kinit or kinit principal-name but it prompts for a Password. But we have disabled Passwords authentication and use X509 certs/Access Card to login to our PCs/Domain.
So, how do we use Kinit or equiv. to test kerberos from a domain workstation
using CLI and Cert authentication.
I have seen the kinit -X option but it is not available on JDK1.7/1.8 in Win 7 it seems. Is pkinit (MIT Kerberos) an option but it seems more like used for web server to KDC authentication.
Thank you in advance and appreciate the community's time and effort.
---- Additional Info 1----
Btw, had the user purge all his tickets - klist purge and had her try accessing the SSO site (protected using IWA Kerb) and verified she is issued a kerb ticket
5 Client: xxjdoe # XXX.XX.XXX
Server: HTTP/ssologon.xxx.xxx.xx.xx # XXX.XXX.XX.XXX
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 4/7/2017 13:54:59 (local)
End Time: 4/7/2017 23:54:48 (local)
Renew Time: 4/14/2017 13:54:48 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
-------- End 1 ---------------

Related

hashicorps Vault cli "bad certificate" error after successful login

I'm trying to issue Vault commands with the cli from my local machine to my remote Vault server but keep getting a bad certificate error.
On the remote Vault server I
created an admin policy as outlined here in admin.hcl
wrote it with vault policy write admin admin.hcl
enabled certificate authentication with vault auth enable cert
associated the admin policy just created with a client admin certificate admin-cert.crt:
vault write auth/cert/certs/user display_name=admin policies=admin certificate=#vault/admin-cert.crt ttl=3600
Then on my local machine I was able to successfully login with this command
vault login -method=cert -ca-cert=CA.crt -client-cert=admin-cert.crt -client-key=client.key.pem name=user
which gave back a token. The output:
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.Q2NPAIRwhjNRJqvY8LscgSPy
token_accessor bQSI8zGJM4zspnlgvu2XEV1z
token_duration 1h
token_renewable true
token_policies ["admin" "default"]
identity_policies []
policies ["admin" "default"]
token_meta_authority_key_id n/a
token_meta_cert_name user
token_meta_common_name localhost.com
token_meta_serial_number 4285812225508508199151930131872257251014974781
token_meta_subject_key_id n/a
However any subsequent Vault cli commands from my local machine then get back a tls: bad certificate error. I don't think my certs are incorrect as I wouldn't have been able to complete the initial log in in the first place. Rather, it looks like I need to turn off the certificate authentication and use the token for my requests with the Vault cli because I am able to authenticate into the Vault UI with the token.
The -ca-cert argument value used is for the Vault TLS Listener CA certificate, and not the CA that issued the client authentication certificate. Your -client-cert is correct, and your -client-key is probably also correct, but your -ca-cert value should not be the one associated with the authentication engine itself.
The problem was in the configure file.
listener "tcp" {
address = "0.0.0.0:8200"
/*
* Configuration required for mutual TLS
*/
tls_min_version = "tls12"
tls_cert_file = "/home/ubuntu/vault/vault-cert.crt" // path to pem encoded server certificate
tls_key_file = "/home/ubuntu/vault/server.key.pem" // path to pem encoded server private key
tls_require_and_verify_client_cert = "true" // require client certificate from inbound requests
tls_client_ca_file = "/home/ubuntu/vault/client-CA.crt" // path to client CA cert used to validate client certs
The tls_require_and_verify_client_cert needed to be false instead of true. I guess this made requests go through mTLS authentication even after logging in and obtaining the Vault token. However the vault CLI commands other than login don't provide parameters to pass in the certificates needed for mTLS and so the requests failed with the tls: bad certificates error. Turning the mTLS requirement off allows for token authentication of the Vault requests after login.

Windows authentication 401 error, SPN to Service account

I'm struggling around and hope you can help me.
Scenario:
I wrote a web application on a test server and all works fine. I moved the finished application to the live system and I receive a HTTP 401 error if windows authentication is enabled on IIS. I solved this problem by setting an SPN on server name e.g.
setspn -a http/contoso contoso
But it needs to work with my service account.
I set spn for service account like:
setspn -a http/contoso.com mydomain\serviceaccount
setspn -a http/contoso mydomain\serviceaccount
Application pool is running as mydomain\serviceaccount. The Kerberos Delegation is set for this account in Active Directory. But still get a 401 error. For testing purposes, the service account has the Administrator role on this server.
This looks like a duplicate SPN issue. I believe you have done all the right things by adding SPN's for service account but there is one more step in IIS that you need to take to ensure that the application pool credentials are actually being used.
Click on the website and in the center panel, click on configuration editor. Navigate to "system.webServer/security/authentication/windowsAuthentication" and here set "useAppPoolCredentials" to true and "UsekernelMode" to false.
Follow this article for more info - https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/

Kerberos authentication with expiring passwords

We are using Java Kerberos authentication to connect to our SQL Server DB from Linux. Here we had used the prinicipal name and the password to generate a keytab file on the Linux system. Currently the connectivity works fine.
But there has been an additional requirement to use expiring passwords, which expire every 3 months. In our other applications we use an API called CyberArk which retrieves the password from a vault and Ops team need not bother about changing the password on the application server located on the Linux system.
Does anyone have any experience on using Kerberos in such an enironment? We are basically looking at avoiding to regenerate the keytab file every time the password expires.
I don't think you can avoid to regenerate the keytab file in the event of password change or expiring. What you can do, however, is to make it painless to generate the keytab file on the Linux server. this require the Linux server joining the Active Directory, using RHEL native tool realm or Centrify software.
RHEL tool document is here https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/realmd-domain
For Centrify user, https://community.centrify.com/t5/Centrify-Express/Replace-SSH-Keys-with-Kerberos-Keytabs/td-p/10112

SSO from ADAL in WPF Client to ADFS 3.0 on Windows Server 2012 R2

I am trying to write an WPF client which uses ADAL to authenticate against ADFS on a Windows Server 2012 R2. I have successfully implemented this using "Forms Authentication" where the user is prompted for the domain username and password. However, I want to take advantage of SSO and use the currently logged on domain user to authenticate against the ADFS.
Unfortunately, I'm only getting an error message saying:
This method overload is not supported by '< ADFS servername>'
I have done a lot of searching, but find some of the information contradictive:
This SO post about a Windows Store App (any differences to WPF?) where Vittorio Bertocci links to a blog on how to achieve it:
ADAL for Windows Store SSO
This SO post where Vittorio Bertocci claims that silent authentication is only possible with Windows Server 2016:
Authenticate with ADFS inside Console App silently
Is it a fact that Windows Server 2016 is required to perform SSO in conjunction with ADAL?
Is there any other way to do it?
EDIT:
After upgrading to the latest alpha of ADAL (3.9.302111717-alpha) I'm getting the more detailed error message
MSIS9611: The authorization server does not support the requested 'grant_type'. The authorization server only supports 'authorization_code' or 'refresh_token' as the grant type.
The code I'm executing is this:
string authority = "https://myServer.com/adfs";
string resourceURI = "http://myApp/";
string clientId = "XXXX-XXX-XXXX-XXXX-XXXXX";
string clientReturnUri = "http://anarbitraryreturnuri/";
var ac = new AuthenticationContext(authority, false);
var token = await ac.AcquireTokenAsync(resourceURI, clientId,new UserCredential());
I was able to implement a working solution using WS-Trust, so I am confident that the machine I'm running on has the privacy settings to enable the app to find the currently logged on user.
The Oauth2 endpoint looks as follows:
Also, my global authentication policy is set up like this:
Windows Server 2016 is only required for the password grant - in which you provide raw username and password. Your question seems to suggest you want to sign on with the currently signed in user, which would leverage Kerberos instead.
Kerberos based authentication should work with ADFS "3" and ADFS 2016 indifferently - as long as your client is connected to the domain network, the local machine does not have privacy settings that prevent your app from finding out the domain user currently logged in and the correct endpoints are enabled on the ADFS instance.

klist command usage related to Single Sign on for WAS 7 application

Team,
I am trying to implement SSO for a WAS7 based web application using Kerberos & SPNEGO. I am almost done with the configuration. I have few doubts on Kerberos.
When I execute the command klist, following is the output.
Ticket cache: FILE:/tmp/krb5cc_38698
Default principal: pocsso1#POC.MAIL.COM
Valid starting Expires Service principal
01/09/2014 16:15 02/09/2014 02:21 krbtgt/POC.MAIL.COM#POC.MAIL.COM
renew until 08/09/2014 16:15
My Question is "what expires and renew indicates here.?"
and "if it expires what is the process of renewing it.?"
Please put a comment if much information is required.