0

[I'm fairly new to Kerberos Protocol]

We have a customer, who back in 2020 was using a domain let's call it customdom.itm, which has a user account krb-test-cd setup for Kerberos delegation and this domain is part of a domain Active Directory forest itm.
Since they're a large corporation with many users across different countries, they also have another huge domain AD forest with many child domains (and domain controllers) as part of this forest let's call it top.abc. Here the domain relevant to us is aust.top.abc, which has krb-test-aust user account setup for Kerberos.

Since the forests itm and top.abc are different, the same servicePrincipalName for both krb users is safely set to HTTP/testloadbalancer.com, while their userPrincipalName is of course different, i.e.:

  1. krb-test-cd uPN is HTTP/testloadbalancer.com@CUSTOMDOM.ITM
  2. krb-test-aust uPN is HTTP/testloadbalancer.com@AUST.TOP.ABC

And since https://testloadbalancer.com is part of the intranet sites at the customer, their browsers do not challenge the users to enter their AD credentials.

Now here's the problem:
Last month the customer decided to migrate the users in customdom.itm to a new domain can.top.abc which is part of forest top.abc. The user krb-test-cd and some other accounts were not migrated, however, and customdom.itm still exists in its own forest.
Due to the migration, these users are now challenged everytime to enter their AD credentials and are granted access only with the old domain name, i.e.
customdom\michael and password

I have setup a new user account krb-test-can in the domain can.top.abc for Kerberos delegation with setspn and the SPN HTTP/testloadbalancer.com, and the first time, I got this error:

The operation failed because SPN value provided for addition/modification is not unique forest-wide.

Next, I tried ktpass with SPN HTTP/testloadbalancer.com@CAN.TOP.ABC, and I get another error:

Failed to set property 'servicePrincipalName' to 'host/<host name>' on
Dn 'CN=<CN Name>,CN=Users,DC=<DC Name>,DC=<DC Name>,DC=abc': 0x13.
WARNING: Unable to set SPN mapping data.

Later, I finally understood that the SPN is already set to user krb-test-aust.

My question is:
How can I still successfully assign the SPN HTTP/testloadbalancer.com and eventually UPN HTTP/testloadbalancer.com@CAN.TOP.ABC to the user krb-test-can without affecting Kerberos delegation to user krb-test-aust?
Or is there a workaround on how I can use only the user krb-test-aust to delegate Kerberos authentications to the users now residing in domain can.top.abc without the need for user krb-test-can at all?

Any help is highly appreciated.
Thanks in advance!



[Some background]
We have an Access Management software on our side where we have configured many Identity Providers, 2 Policy Enforcement Points and Kerberos authentication for SingleSignOn for each of the above 2 domains.
We only need to inject the uPN and the password of the krb users into the respective PEPs and the software doesn't require a keytab file.
We are identity providers and the customer uses some links like https://testloadbalancer.com/xyz/efg_idp/entityid to make an IdP initiated login and is redirected to the target application.

user136819
  • 205
  • 7
  • 21
  • You can't. SPNs are unique per-*forest* so trying to add an existing SPN to krb-test-can is impossible as long as krb-test-aust has it registered. Your options are to pick a new SPN (and by extension the DNS name of the LB), or make it work with *just* the krb-test-aust principal. – Steve Jan 30 '21 at 21:08
  • @Steve Thanks for the clarification. How can I make it work with just krb-test-aust users' principal? Is there a Workaround? (like how I asked in the 2nd question) – user136819 Jan 31 '21 at 10:47
  • Well in theory you should be able to just set the load balancer SP to the krb-test-aust account and credentials and it should work. – Steve Feb 01 '21 at 17:00
  • @Steve You mean that there's a cross-domain trust which should be able to handle this? If yes, how can I setup this? – user136819 Feb 01 '21 at 17:07
  • You can create a forest trust between `customdom.itm` and `can.top.abc` and add what's called a top-level-name to the trust for `testloadbalancer.com`. OR you can configure `testloadbalancer.com` to use the account in `aust.top.abc`. There's already a trust between CAN and AUST since they're in the same forest. – Steve Feb 01 '21 at 21:17
  • @Steve I think I will go with the 2nd approach of configuring the ```aust.top.abc``` account. But if you'd like, please also shed some light on how to create the forest trust and how to add the "top-level-name" as an answer rather than a comment and I will accept it as an answer here! ;-) – user136819 Feb 01 '21 at 22:41

1 Answers1

0

Taking a hint from Steve, I finally found the solution to my own problem:
Since the domains can.top.abc and aust.top.abc and other domains are part of the same forest top.abc, they SHOULD have a cross-domain trust (I'm not sure if the trust is default or needs to be setup separately).

Hence, I only need the user account krb-test-aust to delegate Kerberos authentications to the users residing in all domains under top.abc.
The uPN of krb-test-aust remains HTTP/testloadbalancer.com@AUST.TOP.ABC.

user136819
  • 205
  • 7
  • 21