[SOLVED] Configuration: two forests, two domains, one WAPT server

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
Sylvain
Messages: 4
Registration: January 19, 2023 - 3:23 PM

January 6, 2025 - 10:55

Hello everyone! I'll try to keep it simple. Here's my new project, which involves several domains:
My setup: On my main Windows Server 2022 Hyper-V server, I have an existing and functional AD DS DNS VM with the "efv2.efv2.ad" forest and "efv2.ad" domain. I also have a functional Debian VM with NGINX for WAPT Enterprise 2.5, connected via another Debian VM with NGINX reverse proxy stream and a functional HTTPS secure by password interface. So far, so good.
I now have a second AD DS DNS VM on my main server with another functional "lifv.lifv.ad" forest and "lifv.ad" domain. My new client machines can be added to either of these domains.
My question: I saw in the documentation that I need to add a .keytab, but before I mess things up as usual, I'd prefer to check with you.

I'm getting confused about Kerberos and the keytab. Do I need to put the public URL of my online server: https://www.srvwapt.lifv.lt/ like HTTP/-URL-.domain.local.keytab = HTTP/srvwapt.lifv.lt.lifv.ad + HTTP/srvwapt.lifv.lt.efv2.ad? Or is it none of that since the UPN also adds the domain?
Do I need to change the SPN of two computer clients and two user clients in both ADs?
On the interface, do I need to change the deployment and add a new --hash to create a new GPO in my second domain?
In my new AD DS VM, do I need to create an account for the WAPT server machine?
Any help would be greatly appreciated :)!
Thanks, have a good day!
Sylvain
High
User avatar
blemoigne
Messages: 178
Registration: July 17, 2020 - 11:29

January 7, 2025 - 5:06 PM

Good morning,
For Kerberos, a machine account is required on each parent domain with the SPN corresponding to the WAPT server name as it is called in the agent's configuration file (wapt-get.ini). If in wapt-get.ini, we have "wapt_server = https://srvwapt.lifv.lt", then the keytab must be created in such a way:

in the lifv.ad domain:

Code: Select all

ktpass -out C:\http-krb5.keytab -princ HTTP/srvwapt.lifv.lt@LIFV.AD rndpass -minpass 64 -crypto all -pType KRB5_NT_PRINCIPAL /mapuser srvwapt$@LIFV.AD
in the efv2.ad domain:

Code: Select all

ktpass -out C:\http-krb5.keytab -princ HTTP/srvwapt.lifv.lt@EFV2.AD rndpass -minpass 64 -crypto all -pType KRB5_NT_PRINCIPAL /mapuser srvwapt$@EFV2.AD
then merge the keytab files, and place them in their directory with the correct permissions.

Good evening,
Bertrand
High
Sylvain
Messages: 4
Registration: January 19, 2023 - 3:23 PM

January 8, 2025 - 2:33 PM

Thanks Bertrand, we already worked together on this keytab in June, I'll try it and let you know. :)

Edit: @bertrand you're the best once again, it's working now, I have both forests in the console :).
High
User avatar
blemoigne
Messages: 178
Registration: July 17, 2020 - 11:29

January 9, 2025 - 09:33

Ah yes, I didn't recognize you, thanks for the reply. ;)
Could you mark the post as resolved?
Have a good day!
Bertrand
High
Locked

Return to "WAPT Server"


  • To go further with WAPT