Re: Kerberos SSO & Pincipal names

Lord_Edam_ · ‎02-28-2011

juniper SA4500, IVE 6.5R7

I'm trying to sallow access to a web server (Web bookmark) that users Kerberos to authenticate users.

My kerberos SSO settings all work fine if I try accessing the server by its AD name (http://server.domain.local), but if I try using different host headers (eg http://esupply.domain.local) for the web resource kerberos fails. I am not using constrained delegation on juniper.

Internally, accessing http://esupply.domain.local directly, I get a kerberos ticket for HTTP/server.domain.local

Doing it through Juniper, the Kerberos Request is for HTTP/esupply.domain.local, which fails with "Principal Unknown".

How do I tell Juniper to request the ticket with a different principal name to the server name specified in the URL resource?

cheers

Mike

zanyterp_ · ‎02-28-2011

How is your kerberos policy configured: server.domain.local or esupply.domain.local?

Is this cross-realm auth?

What is the domain you have configured on your domain/realm on the general tab?

Lord_Edam_ · ‎03-01-2011

Under the Basicauth/NTLM/Kerberos policies general tab, my Kerberos SSO details are:

Realm Definition

realm: DOMAIN.LOCAL

site name: blank

Pattern match: *

KDC: (IP address of my domain controller / KDC)

IVE Intermediation

Label: esupply

realm: DOMAIN.LOCAL

Credential type: system

SSO Policy

resources: http://esupply:80

http://esupply.domain.local:80

Action: Kerberos

Credential: esupply

(no fallback to NTLM)

Web bookmark

link: http://esupply/login.aspx

zanyterp_ · ‎03-01-2011

What does your policy trace say when you trace kerberos sso actions?

Lord_Edam_ · ‎03-02-2011

the policy trace says applying the (correct) kerberos policy - which works fine if I use the proper server name, but not the alias.

I was hoping to get away from ahving to register new Server Principal Names in AD for the aliases, but I guess I'll just have to

ho hum

thanks

mike