Creating Spn for Sso

CREATING SPN FOR SSO

ASSO Kerberos creating new SPN and configure Kerberos for ASSO & RSSO

System: ASSO server = VW-TLV-CUS-SP21.adprod.bmc.com

On this system I have already created a SPN for the ASSO server. The following instructions will go through the process of creating a new SPN to configure with ASSO.

We are going to create a standard admin user called “PRIN2”, create and SPN for that user, run the keytab command and use that user to configure with ASSO.

NOTE the user Logon name in the screen shot below (it will change later on in the process)

Check for any duplicate SPN in the System, if there are any duplicates relating to any previous attemps to create the then it will need to be removed with the setspn –d command

Eg.

setspn -D http/daserver daserver1 (See example below)

SIDE NOTE:

We can also search for all SPNs on the system by running the attached script in PowerShell

Powershell Set-Execution policy will have to be changed to allow scripts to run

You can then search the output to see if there is an Associated SPN for the ASSO server before continuing.

Creating the SPN: Our ASSO host is called VW-TLV-CUS-SP21.adprod.bmc.com so we will run the following command to map the SPN to the user PRIN2 from the command line.

setspn -S HTTP/ VW-TLV-CUS-SP21.adprod.bmc.com PRIN2

If the SPN already exists you will get a message indicating the SPN already exists, so again it will need to be deleted

In this case I already had an SPN of HTTP/vw-tlv-cus-sp21.adprod.bmc.com mapped to a user called ASSOPRINCIPLE. We will delete this so we can map the SPN to user PRIN2.

So now we can continue to create the SPN and map that to USER PRIN2

From the command line

setspn -S HTTP/ VW-TLV-CUS-SP21.adprod.bmc.com PRIN2

Once the SPN is created and mapped to the PRIN2 user we have to generate a keytab file for SPN

e.g.

ktpass -out <file> -mapuser <user> -princ HTTP/<host>@<DOMAIN> -pass <password> -ptype KRB5_NT_PRINCIPAL -target <DOMAIN> -knvo 0

In our example

ktpass -out c:\temp\ASSOKeytab -mapuser PRIN2 -princ HTTP/ –passMadmax1234 -ptype KRB5_NT_PRINCIPAL -target asso.adprod.bmc.com

NOTE: The ASSO server is on adprod.bmc.com but the target domain is asso.adprod.bmc.com (this is a configuration quirk in this environment, but it shows the ASSO server and KDC can be in two different domains as long as one is a parent domain and one a child domain)

Now let’s check the user in AD

NOTE: the user logon name has been changed from “PRIN2” to THE SPN “HTTP/VW-TLV-CUS-SP21.adprod.bmc.com”

So now we have to configure Kerebros Authenticaton in ASSO

In the ASSO console go to your REALM (/BMCREALM by default) and ADD a Kerberos Authentication Type.

In our case we will put in the following values (Note the character casing)

Service Principle Name = HTTP/

Kerberos realm = ASSO.ADPROD.BMC.COM

KDC SERVER = VW-TLV-CUS-SP22.ASSO.ADPROD.BMC.COM

Make UserID available to user store = Checked

Logging Level = All (we can set this back later to message once we confirm if everything is working)

If you get any warning messages continue to save. If you get any errors then you will need to review your entries and fix these.

After saving stop the ASSO server

Delete the logs from ASSO/tomcat/logs

Start the ASSO server

Login to ASSO admin console

Edit Kerberos configuration, view logs. If all is successful the following messages should be shown

Extract

Authentication module: BmcRealm.Kerberos.1418739755144
Date: 20 August, 2015 13:29
Node 1

Logs from: 20 Au

.

.

.

INFO15-08-20 13:28:34.794 Thread-259
Successfully performed service login using password.
FINEST15-08-20 13:28:35.043 Thread-259
Service login succeeded: Subject:
Principal: HTTP/
Private Credential: Ticket (hex) =

0000: 61 82 04 BD 30 82 04 B9 A0 03 02 01 05 A1 15 1B a...0......
0010: 13 41 53 53 4F 2E 41 44 50 52 4F 44 2E 42 4D 43 .ASSO.ADPROD.BMC
0020: 2E 43 4F 4D A2 28 30 26 A0 03 02 01 02 A1 1F 30 .COM.(0&...... 0
0030: 1D 1B 06 6B 72 62 74 67 74 1B 13 41 53 53 4F 2E ...krbtgt..ASSO.
0040: 41 44 50 52 4F 44 2E 42 4D 43 2E 43 4F 4D A3 82 ADPROD.BMC.COM..

.

.

.

Client Principal = HTTP/
Server Principal = krbtgt/
Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: 22 E8 23 0B BD 91 5C FB F9 94 42 1E 8D 0A 37 8D ".#...\...B...7.

.

.

FINEST15-08-20 13:28:35.324 Thread-259
Valid SPNEGO/Kerberos Token: true
Valid DER Encoded SPNEGO Token: true
Version 5 SPNEGO/Kerberos Token: true
Version 5 Kerberos Service Ticket:true
Kerberos Encryption Type: RC4 with HMAC
Ticket KVNO: 6
Ticket Realm: ASSO.ADPROD.BMC.COM
SPNEGO Kerberos OID: 1.2.840.113554.1.2.2
SPN 1: HTTP/VW-TLV-CUS-SP21.adprod.bmc.com
SPNEGO Mech 1: 1.2.840.48018.1.2.2
SPNEGO Mech 2: 1.2.840.113554.1.2.2
SPNEGO Mech 3: 1.3.6.1.4.1.311.2.2.30
SPNEGO Mech 4: 1.3.6.1.4.1.311.2.2.10
INFO15-08-20 13:28:35.340 Thread-259
Credentials retrieved from SPNEGO token.
INFO15-08-20 13:28:35.464 Thread-259
Kerberos authentication succeeded.

Test with a DOMAIN user. (This is assuming that the agent has already been deployed and configured)