Solved

IBM WAS - Accepting Kerberos tokens from two different AD KDCs

Posted on 2010-08-30
6
979 Views
Last Modified: 2013-12-11
How does one configure an IBM WAS cell (RHLinux) to accept Kerberos tokens from two different KDCs.  The KDCs are both Win2008R2 ADs, and they have a transitive forest trust between them.  Is it possible to put SPNs into both ADs so we can accept tickets from either?  If so, do we just "merge" the keytabs from the two ADs into one?
0
Comment
Question by:midlman
  • 3
  • 3
6 Comments
 
LVL 8

Expert Comment

by:AdminRAM
ID: 33563327
I am assuming Example scenario topology
---------------------------
                                                                       
WAS machine -- WAS.domain1.com
                                         
websphere security using AD -- AD1.domain1.com

same AD using one of KDC server keytab created -- AD1.domain1.com

KDC server2 Ketab created -- KDC.domain1.com  
                       
url hiting  -- ‘webserver.domain1.com’ is a DNS entry that routes to the Web Server

My sugestion
-------------

1) First they need to trust these domains AD1.domain1.com and KDC.domain4.com

The following scenarios are supported for trust relation between domains.                                  
Support information for SPNEGO Web authentication with a browser client  
The following scenarios are supported:                                  
Cross-forest trusts                                                      
Domain trust within the same forest                                      
Kerberos realm trust                                                    
                                                                         
The following scenarios are not supported:                              
Forest external trusts                                                  
Domain external trusts        

2) They need to configure Websphere security to use federated repository so that customer use option referral --> follow

Select the type of referral.  A referral is an entity that is used to redirect a client request to another LDAP server. A referral contains the names and locations of other objects. It is sent by the server to indicate that the information that the client requested can be found at another location, possibly at another server or several servers. The default value is ignore.

follow
    Referrals are followed automatically.

3) I believe you need to merge these two keytab created from KDC servers keytab  -- AD1.domain1.com and  server2 Ketab  -- KDC.domain1.com
0
 

Author Comment

by:midlman
ID: 33566857
Not sure about this.  I understand KDC referrals, but in this case, I don't need a referral.  I have users authenticated in two different ADs.  (By the way, these ADs are NOT used for authorization, so don't need to be federated for access by WAS.  They are never directly accessed, only produce tickets that are consumed by WAS.)  Upon authentication, the separate ADs will produce tickets for server access themselves, since both must have an SPN for the service registered in them.
0
 
LVL 8

Expert Comment

by:AdminRAM
ID: 33577251
What version of websphere ?

Additional check the following comment from the following link

http://www.ibm.com/developerworks/websphere/library/techarticles/0809_lansche/0809_lansche.html

  *  You do not need to configure the WebSphere registry to be Microsoft Active Directory via the Lightweight Directory Access Protocol (LDAP). In general, the user ID obtained from the service ticket is known as the Kerberos UserPrincipalName. Specifically Microsoft calls it the ClientPrincipalName. This user ID must map to a meaningful name in the WebSphere security registry. The simplest mapping is where the WebSphere registry is the LDAP provided by Active Directory. We have considerable experience deploying the SPNEGO TAI with trivial and non-trivial mappings, including where the WebSphere registry was a:
          o WebSphere Federated repository composed of one or more underlying LDAP registries
          o Single Active Directory domain LDAP
          o Set of Active Directory LDAP servers configured as an Active Directory Forest
          o IBM Tivoli Directory Server LDAP
          o Domino LDAP
          o z/OS® RACF registry
          o Custom User Registry (various types)

These mapping solutions require the creation of customer-specific custom code, typically in the form of a LoginModule to morph the Java Subject built by the TAI that contains the Windows identity, into a new Java Subject containing the mapped-to user ID valid in the WebSphere registry. The mechanics of these LoginModules are beyond the scope of this article and require an expert to create.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:midlman
ID: 33577912
WAS 6.1
The registry is not an issue in this question.  We know how to handle that.
The issue is being able to configure WAS to accept tickets from two different ticket servers for the same service.  
Does the app need to be addressable via two different URLs, that match to the two kerberos realms?
Do we just register SPNs in both KDCs and merge the resulting keytabs?
How does this affect the .conf file?
Has anyone actually done this and seen it work?
0
 
LVL 8

Expert Comment

by:AdminRAM
ID: 33619776
Do we just register SPNs in both KDCs and merge the resulting keytabs?

---> You need to merge the both keytab files

How does this affect the .conf file?

---> In WAS v6.1 I am not sure  if you can merge conf file if you have  single jvm. because conf file contains default domain contains one kdc name.. not sure how we can define multiple domains to use... on single conf file..

I am researching on this...

Has anyone actually done this and seen it work?

--> I haven't tried this...

0
 

Accepted Solution

by:
midlman earned 0 total points
ID: 33727558
No solution forthcoming.  Abandoning question.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Most of the developers using Tomcat find it easy to configure the datasource in Server.xml and use the JNDI name in the code to get the connection.  So the default connection pool using DBCP (or any other framework) is made available and the life go…
Upgrading Tomcat – There are a couple of methods to upgrade Tomcat is to use The Apache Installer is to download and unzip and run the services.bat remove|install Tomcat6 Because of the App that we are working with, we can only use Tomcat 6.…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now