[RESOLVED] Kerberos Error 405

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
Marceld
Messages: 28
Registration: March 22, 2023 - 1:19 PM

March 22, 2023 - 1:54 PM

Hello everyone,

We have had our WAPT Enterprise server (up to date) in production on an Ubuntu server (also up to date) for over a year now.

For version details:
WAPT 2.3.0.13516
Ubuntu 22.04.2 LTS
We wanted to move away from NTLM in our domain and use only Kerberos.

We therefore set about configuring WAPT with Kerberos.

- All configurations meet the prerequisites (Debian installation section)
- We followed the documentation on "strengthening the security of your WAPT server" (Except for the Firewall part which we will implement after Kerberos).

The entire "Kerberos configuration and post-configuration" process went smoothly.

However, it is now impossible to connect from the WAPT software center.

If I follow the documentation, this gives:
- use_kerberos=True is correctly enabled on both the client and server sides
- The Keytab is good and conforms to what the documentation presents
- The command "kinit -k -t /etc/nginx/http-krb5.keytab srvwapt\$@AD.TRANQUIL.IT" does indeed generate a ticket for the server (klist)
- On a client PC, using the system console and the command "wapt-get register", I can successfully register the device:
C:\windows\system32>wapt-get register
Using config file: C:\Program Files (x86)\wapt\wapt-get.ini
Registering host against server: https://srvwapt.toto.local
Host correctly registered against server https://srvwapt.toto.local.
If I run a test using the Curl command, I get an error: http/1.1 405 METHOD NOT ALLOWED:
> GET /add_host_kerberos HTTP/1.1
> Host: frscmwapt.scmlemans.com
> Authorization: Negotiate CLE_EFFACE
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 405 METHOD NOT ALLOWED
< Server: nginx
< Date: Wed, 22 Mar 2023 12:33:32 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 178
< Connection: keep-alive
< WWW-Authenticate: Negotiate KEY_ERAS
< WWW-Authenticate: Basic realm=""
< Allow: OPTIONS, POST, HEAD
< Strict-Transport-Security: max-age=63072000
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>405 Method Not Allowed</title>
<h1>Method Not Allowed</h1>
<p>The method is not allowed for the requested URL.</p>
* Connection #0 to host srvwapt.toto.local left intact
If I do the test in Firefox as mentioned once or twice on the forum, I get the same result (405 METHOD NOT ALLOWED)

If I request a ticket from a user's PC, it returns this:
C:\windows\system32>klist get https://srvwapt.toto.local

LogonId is 0:0x3e7
Error calling API LsaCallAuthenticationPackage (substatus GetTicket): 0x6fb

klist failed with 0xc000018b/-1073741429: The Windows server's SAM database does not have a computer account for the trust relationship with this workstation.
Finally, no user can now use the software center (which makes sense to me since the Kerberos request failed)
However, the admin console still works (which makes sense since it does not use Kerberos).

Sorry for the "wall of text" and thank you for reading.
Last edited by marceld on March 23, 2023 - 17:10, edited 2 times.
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

March 22, 2023 - 2:41 PM

If you see the message "Method Not Allowed", then everything is fine ;)

You can also try using the following URL in your browser:

Code: Select all

https://srvwapt.mydomain.lan/api/v3/login_kerberos
For Kerberos to work on the self-service side, you must add the following to the wapt-get.ini file of your agents:

Code: Select all

[global]
use_kerberos=1
service_auth_type=waptserver-ldap
and on the Wapt server side, configure LDAP in /opt/wapt/conf/waptserver.ini

put :

Code: Select all

[options]
ldap_auth_server = srvads.mydomain.lan
ldap_auth_base_dn = DC=mydomain,DC=lan
ldap_auth_ssl_enabled = False
verify_cert_ldap = False
ldap_account_service_login = wapt-ldap@mydomain.lan
ldap_account_service_password = password
then reboot the wapt server:

Code: Select all

systemctl restart waptserver
High
Marceld
Messages: 28
Registration: March 22, 2023 - 1:19 PM

March 22, 2023 - 2:59 PM

Hello Sfonteneau,

SO :

It initially indicates "Authentication OK":
ok.JPG
ok.JPG (27.79 KB) Viewed 8038 times
[global]
use_kerberos=1
service_auth_type=waptserver-ldap
So that's precisely the point I wanted to raise. I've looked through the documentation and the forum extensively, and sometimes it says "1" and other times it says "True". Are both acceptable?
[options]
ldap_auth_server = srvads.mydomain.lan
ldap_auth_base_dn = DC=mydomain,DC=lan
ldap_auth_ssl_enabled = False
verify_cert_ldap = False
ldap_account_service_login = wapt-ldap@mydomain.lan
ldap_account_service_password = password
I had already tried adding them (I uncommented them but it didn't change my problem)
Does it just need a standard user account or does it require specific privileges?

Thank you for your time.
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

March 22, 2023 - 4:48 PM

Marceld wrote: March 22, 2023 - 2:59 PM
So that's precisely the point I wanted to raise. I've looked through the documentation and the forum extensively, and sometimes it says "1" and other times it says "True". Are both acceptable?

Yes, absolutely, 1 = True so you can put whatever you want
Does it just need a standard user account or does it require specific privileges?
It needs the rights to read the memberof attribute of user records (you can test this with the small ldapadmin software)
High
Marceld
Messages: 28
Registration: March 22, 2023 - 1:19 PM

March 22, 2023 - 6:42 PM

Thanks for the tool.

The user account created can indeed read the "Member Of" attribute.

If the Kerberos tests are OK but the Software Center's "SSO" is not, what could be causing this?
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

March 23, 2023 - 10:17

The only thing we haven't checked is your self-service rule package.

Is a self-service rule package installed?

Do you get an error message when you open it?
High
Marceld
Messages: 28
Registration: March 22, 2023 - 1:19 PM

March 23, 2023 - 12:05

Hello,

Yes, there is a self-service package for users.

It worked fine with NTLM authentication.

It just displays "incorrect password or username" whether I enter a password or not.

I also can't open it with an account that has local administrator rights.

Have a good day.
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

March 23, 2023 - 12:19

If your agent is correctly configured in this way, it shouldn't ask for a password:

Code: Select all

[global]
use_kerberos=1
service_auth_type=waptserver-ldap
Then :

Code: Select all

net stop waptservice
net start waptservice
High
Marceld
Messages: 28
Registration: March 22, 2023 - 1:19 PM

March 23, 2023 - 3:23 PM

If your agent is correctly configured in this way, it shouldn't ask for a password:
Ah ok, yet in another topic you specified that the ID and password were always required if we ever needed to switch to admin.


use_kerberos=1
service_auth_type=waptserver-ldap
I can confirm that this is indeed the configuration I have on my test client.

I don't see anything in the client-side logs regarding a possible error. Is there a specific place where I could find logs about the connection attempt?
High
Marceld
Messages: 28
Registration: March 22, 2023 - 1:19 PM

March 23, 2023 - 5:10 PM

For your information, and after speaking with support over the phone:

That was a mistake on my part:

I modified the following line:
service_auth_type=waptserver-ldap
by :
service_auth_type=mywaptserver.toto.local
That was a mistake on my part; that line should not have been changed.

Thank you again for your responsiveness!

We will finally be able to get rid of NTLM :D
High
Locked

Return to "WAPT Server"


  • To go further with WAPT