2017 R1 Update Rollup 1

Kerberos AuthenticationPermanent link for this heading

On nodes intended for Fabasoft Folio Web Services, SPNEGO authentication for the Apache Web Server as an extension module is provided. SPNEGO authentication allows single sign on via Kerberos and Active Directory even from a Fabasoft Folio Web Client (similar and compatible to integrated login on the Microsoft platform).

Additionally, configure /etc/krb5.conf to use the Active Directory domain as Kerberos realm and its domain controller as Kerberos Key Distribution Centre.

To configure /etc/krb5.conf, perform the following steps:

  1. Open the /etc/krb5.conf file in an editor.
  2. Configure krb5.conf as follows.
    Replace the values in <> with the appropriate values for the domain. In case of troubles consult the Kerberos documentation.
    [libdefaults]
      
    default_realm = <SUB.COMP.COM>
      
    dns_fallback = false
      
    forwardable = true
      
    proxiable = true
    [realms]

      <SUB.COMP.COM> = {

        
    kdc = <IP address of the Domain Controller>[:<port>, [options]]
        
    admin_server = <IP address of the Domain Controller>[: <port>, [options]]
      }

    [
    domain_realm]
      <.company.com> = <SUB.COMPANY.COM>

    Note: Attend to entries written in uppercase (e.g. <SUB.COMP.COM>).

The Kerberos authentication has been configured basically on the newly installed server.

Key Creation for Fabasoft Folio Backend ServicesPermanent link for this heading

ADERPC Key CreationPermanent link for this heading

For each Linux server running kerberized Fabasoft Folio Services, a distinct ADERPC key has to be exported.

To create an ADERPC key for Fabasoft Folio Backend Services, perform the following steps:

  1. Log on to the primary Active Directory domain controller.
  2. Open the MMC snap in „Active Directory Users and Computers” (dsa.msc).
  3. Add a user with an arbitrary logon name of your choice for each Fabasoft Folio Server.
    A common prefix is recommended.
    Example: ADERPC-fscbackend
  4. Click “Next”.
  5. Select the User cannot change password and the Password never expires check boxes.
  6. To create the user click “Next“.
    A Kerberos user has been created.
  7. Execute the following command:
    setspn -A ADERPC/<fqdn> <user account>
    Example:
    setspn -A ADERPC/fscbackend.sub.comp.com ADERPC-fscbackend
  8. On the “Delegation” tab of the user’s properties dialog box click Trust this user for delegation to any service (Kerberos only).
  9. On the „Account“ tab of the users’s properties dialog box click Use DES encryption types for this account or select This account supports Kerberos AES 256 bit encryption.
    DES-CBC-MD5:

    AES256-SHA1:

Now a Kerberos key needs to be transferred to the according Linux computer. To export the key from Active Directory, the ktpass utility is required.

Execute the following command:

ktpass -crypto <crypto-typ> -princ ADERPC/<fqdn>@<REALM> -ptype KRB5_NT_PRINCIPAL -mapuser <user account> -pass <password of the user account> -out <filename>

Possible crypto types:

  • DES-CBC-MD5 (Active Directory 2000/2003)
  • AES256-SHA1 (Active Directory 2008/2008 R2)

Note:

Example:
ktpass -crypto DES-CBC-MD5 -princ ADERPC/fscbackend.sub.comp.com@SUB.COMP.COM -ptype KRB5_NT_PRINCIPAL -mapuser ADERPC-fscbackend -pass <your password> -out fscbackendADERPC.key

Via secure channel (e.g. using ssh) transfer the key file to the Linux server, where it needs to be imported in the Kerberos key tab as described in chapter 6.2 Import of Keys on Linux Servers”.

Note:

  • <REALM> is always all-upper-case.
  • It is imperative that <fqdn> matches the Linux server’s hostname in DNS and the entries in Active Directory exactly, <fqdn> is also case-sensitive.
  • DNS entries for each Linux machine must exist for forward (type A) as well as for reverse (type PTR) lookups.
  • The Active Directory user entries can be validated with “ADSI Edit”. Execute adsiedit.msc and view the properties of the corresponding user. The attributes servicePrincipalName and userPrincipalName shall look similar to the following example:

HTTP Key CreationPermanent link for this heading

For each machine intended for Fabasoft Folio Web Services as well as all nodes running Fabasoft Folio Web Management, a HTTP Kerberos key is required.

Perform the steps of chapter ”ADERPC Key Creation” and replace “ADERPC” with “HTTP”. Name the output file <hostname>HTTP.key, which would result in qavmlinuxrhelHTTP.key for our example host.

Import of Keys on Linux ServersPermanent link for this heading

First create a subdirectory fabasoft in /etc. In the terminal type:

mkdir /etc/fabasoft.

Run the utility /usr/kerberos/sbin/ktutil.

Execute the following commands:

  • Read the specified Kerberos key file (created on the Microsoft Windows Server and subsequently transferred to the Linux machine) into the current key list.
    rkt /path/to/keyfile
  • Write that key into the Kerberos keytab file utilized by all Fabasoft Folio Services:
    wkt /etc/fabasoft/krb5.keytab
  • Do the same for the HTTP key.
    rkt /path/to/keyfile
    wkt /etc/fabasoft/krb5.keytab
  • Type quit and press Enter to exit ktutil.

Note: The ownership and permissions of the file /etc/fabasoft/krb5.keytab need to be changed later on (user fscsrv, group fsc, permissions 0600). This can be done only after the basic Fabasoft Folio software packages have been installed as these packages will create all required users and groups. Do not create the user (or group) yourself!
See white paper “Installation of Fabasoft Folio Services on Linux”.

Kerberos TestsPermanent link for this heading

If one of the tests fails it is necessary to fix the problem before Fabasoft Folio is installed.

First testPermanent link for this heading

Execute the following command and enter the user’s password when prompted:

/usr/kerberos/bin/kinit <Microsoft Windows user>

If no error message is returned, view the ticket cache with the following command:

/usr/kerberos/bin/klist

Verify the output (the default principal must correspond to the provided user):

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <Microsoft Windows user>@<SUB.COMPANY.COM>

Valid startingExpiresService principal
11/15/04 09:16:36  
11/16/04 19:16:38krbtgt/<SUB.COMPANY.COM>@<SUB.COMPANY.COM>

Second testPermanent link for this heading

Issue the following command to acquire a ticket using the key in the Kerberos key tab file instead of an interactive password:

/usr/kerberos/bin/kinit –k –t /etc/fabasoft/krb5.keytab <principalname>

Example:
/usr/kerberos/bin/kinit –k –t /etc/fabasoft/krb5.keytab \
   ADERPC/<
hostname>.<sub.company.com>@<SUB.COMPANY.COM>

Note: ‘\’ denotes line continuation.

If no error message is returned, view the ticket cache with the following command:

/usr/kerberos/bin/klist

Verify the output (the default principal must correspond to the provided user):

Along the same lines, try the HTTP key.

/usr/kerberos/bin/kinit –k –t /etc/fabasoft/krb5.keytab \  
   HTTP/<
hostname>.<sub.company.com>@<SUB.COMPANY.COM>

Note: ‘\’ denotes line continuation.

If no error message is returned, view the ticket cache with the following command:

/usr/kerberos/bin/klist

On any errors, please consult the extensive Kerberos documentation.

If no errors occur the installation and configuration of Kerberos has been successful.