Configuring the WAPT server with Kerberos without requiring authentication

RebeccaS · February 25, 2020 - 8:30 AM

Yes, the ticket is here.

C:\Windows\system32>klist

LogonId est 0:0x3e7

Tickets mis en cache : (14)

#0>     Client :  client$ @ MYDOMAIN.LAN
        Serveur : krbtgt/MYDOMAIN.LAN @ MYDOMAIN.LAN
        Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de tickets 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
        Heure de démarrage : 2/25/2020 0:14:35 (Local)
        Heure de fin :   2/25/2020 10:14:25 (Local)
        Heure de renouvellement : 3/3/2020 0:14:25 (Local)
        Type de clé de session : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de cache : 0x2 -> DELEGATION
        KDC appelé : srvrodc.MYDOMAIN.LAN

#7>     Client :  client$ @ MYDOMAIN.LAN
        Serveur : HTTP/srvwapt.MYDOMAIN.LAN @ MYDOMAIN.LAN
        Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de tickets 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Heure de démarrage : 2/25/2020 0:14:45 (Local)
        Heure de fin :   2/25/2020 10:14:25 (Local)
        Heure de renouvellement : 3/3/2020 0:14:25 (Local)
        Type de clé de session : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de cache : 0
        KDC appelé : srvrodc.MYDOMAIN.LAN

February 25, 2020 - 5:47 PM

Do you also have a Rodc server, or did you just use my example?

RebeccaS · February 26, 2020 - 09:24

No, I just copied that part, but it's a standard DC.

February 26, 2020 - 6:17 PM

So the KerbTicket encryption type is indeed AES-256-CTS-HMAC-SHA1-96?

The same goes for the session key (so I don't know what was copied...)

Otherwise, we'll do a test without using wapt:

Can you configure Firefox for Kerberos authentication?
https://docs.oracle.com/cd/E41633_01/pt...36673.html

And surf on:
https://srvwapt.mydomain.lan/add_host_kerberos

If Kerberos authentication succeeds, then the message will be:

Code: Select all

Method Not Allowed

The method is not allowed for the requested URL.

Conversely, if authentication fails, the message will be a 401 (authentication request)

RebeccaS · February 27, 2020 - 8:26 AM

Yes, that's correct; the encryption and session key haven't been changed.

I reran the commands this morning (I've highlighted the changes in red).

C:\Windows\system32>wapt-get register
Using config file: C:\Program Files (x86)\wapt\wapt-get.ini
Registering host against server: https://srvwapt.mydomain.lan
System Power Controls
FATAL ERROR: HTTPError: 403 Client Error: Forbidden for url: https://srvwapt.mydomain.lan/add_host_kerberos

C:\Windows\system32>
C:\Windows\system32>klist

LogonId is 0:0x3e7

Cached tickets: (15)

#0> Client: client$ @ MYDOMAIN.LAN
Server: krbtgt/MYDOMAIN.LAN @ MYDOMAIN.LAN
KerbTicket encryption type: AES-256-CTS-HMAC-SHA1-96
Ticket flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
Start time: 2/27/2020 7:52:02 (Local)
End time: 2/27/2020 17:52:01 (Local)
Renewal time: 3/5/2020 7:52:01 (Local)
Session key type: AES-256-CTS-HMAC-SHA1-96
Cache flags: 0x2 ->
KDC delegation called: SRVDC.MYDOMAIN.LAN

#1> Client: client$ @ MYDOMAIN.LAN
Server: krbtgt/MYDOMAIN.LAN @ MYDOMAIN.LAN
KerbTicket encryption type: AES-256-CTS-HMAC-SHA1-96
Ticket flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start time: 2/27/2020 7:52:01 (Local)
End time: 2/27/2020 17:52:01 (Local)
Renewal time: 3/5/2020 7:52:01 (Local)
Session key type: AES-256-CTS-HMAC-SHA1-96
Cache flags: 0x1 -> PRIMARY
KDC called: SRVDC.MYDOMAIN.LAN

#2> Client: client$ @ MYDOMAIN.LAN
Server: HTTP/srvwapt.mydomain.lan @ MYDOMAIN.LAN
KerbTicket encryption type: AES-256-CTS-HMAC-SHA1-96
Ticket flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start time: 2/27/2020 8:02:38 (Local)
End time: 2/27/2020 17:52:01 (Local)
Renewal time: 3/5/2020 7:52:01 (Local)
Session key type: AES-256-CTS-HMAC-SHA1-96
Cache flags: 0
KDC called: SRVDC.MYDOMAIN.LAN

Test results:

February 27, 2020 - 1:43 PM

After configuring Kerberos authentication in Firefox, you do have a ticket in the klist (in the user environment, not psexe)?

If so, the Python part of WAPT is not the issue (given the 401 message).

You could try uninstalling libnginx-mod-http-auth-spnego and reinstalling it with this deb:
https://wapt.tranquil.it/debian/wapt-1. ... _amd64.deb

Simon

RebeccaS · February 27, 2020 - 3:26 PM

After configuring Kerberos authentication in Firefox:

H:\>klist

LogonId is 0:0x7ddc0

Cached tickets: (2)

#0> Client: user @ MYDOMAIN.LAN
Server: krbtgt/MYDOMAIN.LAN @ MYDOMAIN.LAN
KerbTicket encryption type: AES-256-CTS-HMAC-SHA1-96
Ticket flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start time: 2/27/2020 14:33:53 (Local)
End time: 2/28/2020 0:33:53 (Local)
Renewal time: 3/5/2020 14:33:53 (Local)
Session key type: AES-256-CTS-HMAC-SHA1-96
Cache indicators: 0x1 -> PRIMARY
KDC called: SRVDC.MYDOMAIN.LAN

#1> Client: user @ MYDOMAIN.LAN
Server: HTTP/srvwapt.MYDOMAIN.LAN @ MYDOMAIN.LAN
KerbTicket encryption type: AES-256-CTS-HMAC-SHA1-96
Ticket flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start time: 2/27/2020 14:33:53 (Local)
End time: 2/28/2020 0:33:53 (Local)
Renewal time: 3/5/2020 14:33:53 (Local)
Session key type: AES-256-CTS-HMAC-SHA1-96
Cache indicators: 0
KDC called: SRVDC.MYDOMAIN.LAN

I tried reinstalling the deb file, but it's the same...

However, I have a question:

When configuring the Firefox server, do I absolutely have to include my domain name? What difference does it make if I don't?
Because it's not the same mistake if I don't include my domain name.

If I enter my domain name, I get a 403 error:

: 2020-02-27 14_34_21-403 Forbidden.png (7.55 KB) Viewed 11491 times

If I don't include my domain name, I get a 401 error:

: 2020-02-27 14_36_49-401 Authorization Required.png (9.9 KB) Viewed 11491 times

I have the impression that the problem occurs when I run this command

Code: Select all

msktutil --server DOMAIN_CONTROLER --auto-update --keytab /etc/nginx/http-krb5.keytab --host $(hostname) -N

Using a verbose - - I get this:

Code: Select all

root@srvwapt:/home/wapt# msktutil --server srvdc --auto-update --keytab /etc/nginx/http-krb5.keytab --host $(home) -N --verbose
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 91
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-qimnoe
 -- reload: Reloading Kerberos Context
 -- get_short_hostname: Determined short hostname: srvwapt
 -- finalize_exec: SAM Account Name is: srvwapt$
 -- try_machine_keytab_princ: Trying to authenticate for srvwapt$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Generic preauthentication failure)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for srvwapt$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Generic preauthentication failure)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/srvwapt.microtec-agora.lan from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for srvwapt$ with password.

It still makes the entries in /etc/nginx/http-krb5.keytab... Since the rest proceeds without error.

February 27, 2020 - 6:49 PM

The ticket is clearly selling well since it's appearing in the klist

However, it is apparently rejected by nginx.

For me, 401 = 403, so there's no difference.

Is the server's krb5.conf file correct? (It shouldn't have any impact, but just in case.)

Otherwise, it could be a time difference between the wapt server and the client.

In Kerberos, the maximum delay is 5 minutes.

To verify properly, server:

Python or WaptPython command under Windows:

Code: Select all

Python 2.7.13 (default, Sep 26 2018, 18:42:22) 
[GCC 6.3.0 20170516] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import datetime
>>> datetime.datetime.utcnow()
datetime.datetime(2020, 2, 27, 17, 43, 21, 864084)

This allows you to check the time without taking into account daylight saving time, time zone, etc.

Otherwise I don't understand, I redid the procedure with the deb libnginx-mod-http-auth-spnego_1.14.2-2+deb10u1_amd64.deb nginx so in 1.14 and it works fine.

Perhaps a special conference for security at the AD level?

Another possible problem: is there a reverse proxy layer on top?

March 4, 2020 - 10:55

Hello

, have you made any progress?

RebeccaS · March 12, 2020 - 2:27 PM

Hello,

sorry for the delayed response...

I tried again from scratch this morning, but it's still the same...

It's a shame, we chose this solution for Kerberos authentication...

Thanks anyway