Re: Setup IWA/SSO for SAS web clients

RupaJ · Posted 11-10-2019 05:01 PM

Hello,

I am working on setting up the SSO/IWA for SAS web clients like studio and need some guidance. I have already worked on setting up the IWA for SAS desktop clients successfully. So I am assuming the steps are going to similar. Have couple questions.

1) Can I have 2 different keytab files - one for desktop and one for web clients? Or should I alter the keytab of the desktop clients to add the web one?

2) I did set up a separate one and as per the SAS documentation , here is the command to verify the keytab file and it doesn't work for me:-(

kinit -k -t keytab-filename-and-path.keytab user-principal-name -J-Djava.security.krb5.conf= path-to-Kerberos-file.conf

And I am getting the error.

kinit: invalid option -- 'J'
kinit: invalid option -- '-'
kinit: invalid option -- 'D'
kinit: invalid option -- 'j'
kinit: invalid option -- '.'
Bad start time value ecurity.krb5.conf=/etc/krb5.conf
keytab specified, forcing -k
Extra arguments (starting with "src_sasprodkrb@Healthcore.local").
Usage: kinit [-V] [-l lifetime] [-s start_time]
[-r renewable_life] [-f | -F | --forwardable | --noforwardable]
[-p | -P | --proxiable | --noproxiable]
-n [-a | -A | --addresses | --noaddresses]
[--request-pac | --no-request-pac]
[-C | --canonicalize]
[-E | --enterprise]
[-v] [-R] [-k [-i|-t keytab_file]] [-c cachename]
[-S service_name] [-T ticket_armor_cache]
[-X <attribute>[=<value>]] [principal]

options:
-V verbose
-l lifetime
-s start time
-r renewable lifetime
-f forwardable
-F not forwardable
-p proxiable
-P not proxiable
-n anonymous
-a include addresses
-A do not include addresses
-v validate
-R renew
-C canonicalize
-E client is enterprise principal name
-k use keytab
-i use default client keytab (with -k)
-t filename of keytab to use
-c Kerberos 5 cache name
-S service
-T armor credential cache
-X <attribute>[=<value>]

How do I validate if the generated keytab file is working fine and generating a ticket?

Thanks for all the help!!

alexal · Posted 11-11-2019 08:21 AM

@RupaJ ,

Can I have 2 different keytab files - one for desktop and one for web clients?

Yes.

kinit -k -t keytab-filename-and-path.keytab user-principal-name -J-Djava.security.krb5.conf= path-to-Kerberos-file.conf

That is an incorrect command. Here is an example:

kinit -kt /path/to/keytab/file.keytab SAS/my.server.com@MYREALM.COM

RupaJ · Posted 11-11-2019 10:00 AM

@alexal - Thanks for the response. So "SAS/my.server.com@MYREALM" is the prinicipal name in the keytab right?

kinit -kt /path/to/keytab/file.keytab SAS/my.server.com@MYREALM.COM

The one I created looks like "HTTP/meta.abc.local@ABC.LOCAL". It says "kinit: Client 'HTTP/meta.abc.local@ABC.LOCAL' not found in Kerberos database while getting initial credentials"

alexal · Posted 11-12-2019 03:52 AM

@RupaJ ,

SAS/ SPN is intended to use for IWA/GSSAPI authentication with applications such as SAS Enterprise Guide, SAS Management Console. HTTP/ SPN is intended to use for IWA/GSSAPI authentication of web clients. I'm not sure what you have in keytab file, but you can list all SPNs using a command shown below:

klist -kt /path/to/keytab/file.keytab

RupaJ · Posted 11-12-2019 12:11 PM

Hi @alexal - I did set up the keytab file with HTTP/SPN for the web clients. Here are the contents of the keytab file as is.

Keytab name: FILE:SASWeb.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 11/12/2019 10:44:17 HTTP/sastestmd.core.local@CORE.LOCAL (arcfour-hmac)
1 11/12/2019 10:44:17 HTTP/sastestmd@CORE.LOCAL (arcfour-hmac)

And the errors that I am getting while trying to authenticate...

kinit -kt SASWeb.keytab HTTP/sastestmd.core.local@CORE.LOCAL
kinit: Preauthentication failed while getting initial credentials

kinit -kt SASWeb.keytab HTTP/sastestmd@CORE.LOCAL
kinit: Client 'HTTP/sastestmd@CORE.LOCAL' not found in Kerberos database while getting initial credentials

Thanks

alexal · Posted 11-12-2019 12:37 PM

@RupaJ ,

kinit: Preauthentication failed while getting initial credentials

Have you had a chance to speak with your Linux/Active Directory administrators about an error shown above?

RupaJ · Posted 11-13-2019 10:24 AM

@alexal - Have a question before that. My AD admin has the same question. So how does the keytab file know which account it needs to look for, because I only provide the password of the account to generate the keytab file.

Here is how I generated the keytab file btw.

[an118000ad@sastestmd ~]$ ktutil
ktutil: addent -password -p HTTP/sastestmd.core.local -k 1 -e arcfour-hmac
Password for HTTP/sastestmd.core.local@CORE.LOCAL:
ktutil: addent -password -p HTTP/sastestmd -k 1 -e arcfour-hmac
Password for HTTP/sastestmd@CORE.LOCAL:
ktutil: wkt /home/an118000ad/SASWeb.keytab
ktutil: read_kt /home/an118000ad/SASWeb.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 HTTP/sastestmd.core.local@CORE.LOCAL
2 1 HTTP/sastestmd@CORE.LOCAL
3 1 HTTP/sastestmd.core.local@CORE.LOCAL
4 1 HTTP/sastestmd@CORE.LOCAL
ktutil: quit

Now the SPN is definitely created with that account.

setspn -L src_sastestkrb

Registered ServicePrincipalNames for CN=src_sastestkrb,OU=Service_Accounts,DC=core,DC=local:
HTTP/sastestmd.core.local
HTTP/sastestmd

alexal · Posted 11-13-2019 10:44 AM

@RupaJ ,

So how does the keytab file know which account it needs to look for

I'm not sure I understood your question, but usually, SPNs are associated with the specific objects in AD, such as users.