0

Say I have a HTTP server that has instances running on machines virt01 through virt09 which have CNAMEs svc01 through svc09. I want to add Kerberos auth to it.

Assume:

  • I'm on AD domain example.com
  • My host DNS entries are host@example.com
  • My Kerberos realm is EXAMPLE.COM,

From answers such as this one, I figured that the keytab has to contain entries such as:

HTTP/virt01.example.com@EXAMPLE.COM
...
HTTP/virt09.example.com@EXAMPLE.COM
HTTP/svc01.example.com@EXAMPLE.COM
...
HTTP/svc09.example.com@EXAMPLE.COM

in order for browsers and other clients (such as other non-interactive services) to be able to authenticate against the servers. Is the above correct?

If it is, a follow up question is - is there a way to make a "service alias" so to speak, so I can put just one entry in keytab:

HTTP/svc-alias.example.com@EXAMPLE.COM

somehow? This in order to be able to move the service to other hosts for example and not have to regen the keytab with a new host and CNAME added. Especially important for local testing. E.g. if this is tested on workstation583, a new keytab entry for that workstation would have to be made, which is really inconvenient.

If not possible, what is the easiest way to manage adding / removing hostnames? How is this done in practice with multi-server deployments to make it manageable?

Any resources answering any of the above are appreciated as well.

levant pied
  • 3,886
  • 5
  • 37
  • 56
  • A keytab is implementation-dependent as to how it picks which keys to use. However, this won't help you because the client is always going to resolve the authoritative record of the host to look up an SPN. Aliases are explicitly not recommended for Kerberos for security reasons. – Steve Sep 16 '19 at 23:27
  • @Steve Thanks! "Aliases are explicitly not recommended for Kerberos for security reasons." Why is that? Any references so I read more about that? – levant pied Sep 17 '19 at 11:24
  • The RFC itself is clear on this, section 1.3 https://tools.ietf.org/html/rfc4120 – Steve Sep 17 '19 at 15:39
  • @Steve If you meant this part "hus, for example, one should not rely on an unprotected DNS record to map a host alias to the primary name of a server...", then I think that's not the same I'm asking for. I'm asking for a KDC to do the principal aliasing internally only. I.e. if clients asks for principal `svc01`, then have the KDC return the key for `svc-alias`, where `svc-alias` is in server's keytab. That way client can ask for any `svcXX` and get the ticket that the server can decode. Otherwise, server would need all `svcXX` principals in its keytab, which I'm not sure how to scale – levant pied Sep 17 '19 at 17:25
  • Oh I see. You should just be able to add the names as SPNs to the service account in AD. You can't use an alias though for the above reason. You have to use an A record name, which if it's the dev workstation might be problematic if it's already joined to the domain. – Steve Sep 17 '19 at 20:31
  • If you have a Load Balancer whose canonical DNS name is `svc-alias.example.com`, if you define a SPN for that Load Balancer, and if your web services accept service tickets using that "generic" SPN... it would work. That's how some Hadoop components manage High Availability. But web servers don't do that by default... Also, you need the LB to manage "sticky" connections because SPNego itself requires a round-trip (with _"401 require Kerberos or NTLM token" challenge)_ before starting kerberos auth proper. – Samson Scharfrichter Sep 18 '19 at 16:23

0 Answers0