[RESOLVED] Kerberos authentication and opening up to the world

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
marcolefo
Messages: 27
Registration: Oct 02, 2018 - 11:13

June 18, 2020 - 5:23 PM

Hello

I am setting up a WAPT 1.8.2 server under Debian 10 accessible from the outside with kerberos client authentication.

I'm stuck trying to register my first client.
waptserver.log:

Code: Select all

[waptserver     ] CRITICAL Get_websocket_auth_token failed EWaptAuthenticationFailure(u'Unknown host UUID client.domain.lan. Please register first.',)
[waptws         ] WARNING SocketIO connection refused for uuid client.domain.lan, sid f186984275bc44ed8e5d12c56448c9c1: SocketIO connection not authorized, invalid token: 400 Bad Request: The browser (or proxy) sent a request that this server could not understand., instance
 [waptws         ] WARNING Application rejected connection
Regarding the client:

Code: Select all

> wapt-get register -l debug --service
Current loglevel : DEBUG
About to speak to waptservice...
Call register URL...
url: http://127.0.0.1:8088/register.json?notify_user=1 timeout: 10000
url: http://127.0.0.1:8088/events?max_count=1 timeout: 11000
Waptservice User :url: http://127.0.0.1:8088/events?max_count=1 : OK Duration: 0
After reading the documentation and the forum, I'm wondering if this isn't due to having a machine name both locally and externally:
wapt.domain.local and wapt.domain.fr

knowing that my AD serves the domain domain.local

All my clients should use wapt.domain.fr, my DNS resolving to private IP if the request is internal and to public IP if the request is external.

I followed the instructions https://www.wapt.fr/fr/doc/wapt-securit ... t=kerberos

So, I registered my machine as wapt.domain.local.

Is the problem related to the server machine name?
Last edited by marcolefo on June 23, 2020 - 5:47 PM, edited 1 time.
WAPT Enterprise Server: 2.6.0.17343 / Server OS: Debian bookworm /
Administration/package creation machine OS: macOS 15
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

June 18, 2020 - 10:07 PM

Are the stations capable of negotiating a Kerberos ticket?

On a Windows 10 system, you can try the following command:

Code: Select all

klist get HTTP/srvwapt.mydomain.lan
srvwapt.mydomain.lan must be replaced with the URL used by your clients (so you can test with the internal and external DNS names)

Note that in order to negotiate a ticket, the position must be able to contact its AD.

Next, the keytab on the server must have both URLs.

To verify:

Code: Select all

ktutil
read_kt /etc/nginx/http-krb5.keytab
list
This gives you the list of URLs that the Keytab accepts

My advice is to use a single DNS name, the external one

Otherwise, you need to adapt this command to pass it two HTTP services:

Code: Select all

sudo msktutil --server DOMAIN_CONTROLER --precreate --host $(hostname) -b cn=computers --service HTTP --description "host account for wapt server" --enctypes 24 -N
https://www.wapt.fr/fr/doc-1.7/security ... ice-keytab
High
marcolefo
Messages: 27
Registration: Oct 02, 2018 - 11:13

June 19, 2020 - 3:47 PM

I regenerated the keytab using the external name:

Code: Select all

msktutil --server ad.domain.local --precreate --host wapt.domain.fr -b cn=computers --service HTTP --description "Host account for wapt server" --enctypes 24 -N
But he complains that the name is too long

Code: Select all

Error: The SAM name (nomduserveur-domain-fr$) for this host is longer than the maximum of MAX_SAM_ACCOUNT_LEN characters
Error: You can specify a shorter name using --computer-name
So I tried

Code: Select all

msktutil --server ad.domain.local --precreate --computer-name wapt --host wapt.domain.fr -b cn=computers --service HTTP --description "Host account for wapt server" --enctypes 24 -N

Code: Select all

# ktutil
ktutil:  read_kt /etc/nginx/http-krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    5                            wapt$@DOMAIN.LOCAL
   2    5                            wapt$@DOMAIN.LOCAL
   3    5                            wapt$@DOMAIN.LOCAL
   4    5                            WAPT$@DOMAIN.LOCAL
   5    5                            WAPT$@DOMAIN.LOCAL
   6    5                            WAPT$@DOMAIN.LOCAL
   7    5                        host/wapt@DOMAIN.LOCAL
   8    5                        host/wapt@DOMAIN.LOCAL
   9    5                        host/wapt@DOMAIN.LOCAL
  10    5    HTTP/nomdns.domain.fr@DOMAIN.LOCAL
  11    5    HTTP/nomdns.domain.fr@DOMAIN.LOCAL
  12    5    HTTP/nomdns.domain.fr@DOMAIN.LOCAL
In fact, wapt.domain.fr is a CNAME record of nomdns.domain.fr...

So I'm starting all over again without using the CNAME wapt.domain.fr

This time the client's workstation arrives at:

Code: Select all

klist get HTTP/nomdns.domain.fr

LogonId est 0:0x2c7b3b
Un ticket pour HTTP/nomdns.domain.fr a été récupéré.

Tickets mis en cache : (3)

#0>     Client : domainadminuser @ DOMAIN.LOCAL
        Serveur : krbtgt/DOMAIN.LOCAL @ DOMAIN.LOCAL
        Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de tickets 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Heure de démarrage : 6/19/2020 15:38:35 (Local)
        Heure de fin :   6/20/2020 1:38:35 (Local)
        Heure de renouvellement : 6/26/2020 9:21:31 (Local)
        Type de clé de session : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de cache : 0x1 -> PRIMARY
        KDC appelé : adserver.DOMAIN.LOCAL

#1>     Client : domainadminuser @ DOMAIN.LOCAL
        Serveur : HTTP/nomdns.domain.fr @ DOMAIN.LOCAL
        Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de tickets 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Heure de démarrage : 6/19/2020 15:38:35 (Local)
        Heure de fin :   6/20/2020 1:38:35 (Local)
        Heure de renouvellement : 6/26/2020 9:21:31 (Local)
        Type de clé de session : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de cache : 0
        KDC appelé : adserver.DOMAIN.LOCAL

#2>     Client : domainadminuser @ DOMAIN.LOCAL
        Serveur : HTTP/nomdns.DOMAIN.LOCAL @ DOMAIN.LOCAL
        Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de tickets 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Heure de démarrage : 6/19/2020 9:21:31 (Local)
        Heure de fin :   6/19/2020 19:21:31 (Local)
        Heure de renouvellement : 6/26/2020 9:21:31 (Local)
        Type de clé de session : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de cache : 0
        KDC appelé : adserver.DOMAIN.LOCAL
But still no registration. In C:\Program Files (x86)\wapt\log\waptservice.log:

Code: Select all

Serving on http://client.domain.local:8088
2020-06-19 15:39:18,051 [waptws         ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID UUID_masquée. Please register first.',)
Get packages index
u'0 paquet(s) dans le d\xe9p\xf4t\nLe syst\xe8me est \xe0 jour'
2020-06-19 15:39:30,640 [waptcore       ] WARNING Host on the server is not known or not known under this FQDN name (known as None). Trying to register the computer...
	System Power Controls
2020-06-19 15:40:18,213 [waptws         ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID UUID_masquée. Please register first.',)
2020-06-19 15:41:18,358 [waptws         ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID UUID_masquée. Please register first.',)
2020-06-19 15:42:18,500 [waptws         ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID UUID_masquée. Please register first.',)
2020-06-19 15:43:18,647 [waptws         ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID UUID_masquée. Please register first.',)
I feel we're close, but I don't see where the problem lies ;)
WAPT Enterprise Server: 2.6.0.17343 / Server OS: Debian bookworm /
Administration/package creation machine OS: macOS 15
High
marcolefo
Messages: 27
Registration: Oct 02, 2018 - 11:13

June 19, 2020 - 6:09 PM

Let me summarize my approach. I hope that's clear.


Context :

AD domain => domain.local
Public Domain => domain.public

WAPT Server:
Local dns name => foo.domain.local
Public dns name => foo.domain.public
CNAME => wapt.domain.public

WAPT client => client.domain.local

On the WAPT server:

Code: Select all

# cat /etc/krb5.conf
[libdefaults]
  default_realm = DOMAIN.LOCAL
  dns_lookup_realm = false
  dns_lookup_kdc = true

[realms]
  DOMAIN.LOCAL = {
    kdc = adserver.domain.local
  }

[domain_realm]
  .domain.local = DOMAIN.LOCAL
  domain.local = DOMAIN.LOCAL
Creating the keytab:

Code: Select all

# kinit admin
Password for admin@DOMAIN.LOCAL:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@DOMAIN.LOCAL

Valid starting       Expires              Service principal
06/19/2020 17:32:32  06/20/2020 03:32:32  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
	renew until 06/20/2020 17:32:26
06/19/2020 17:32:59  06/20/2020 03:32:32  ldap/adserver.domain.local@
	renew until 06/20/2020 17:32:26
06/19/2020 17:32:59  06/20/2020 03:32:32  ldap/adserver.domain.local@DOMAIN.LOCAL
	renew until 06/20/2020 17:32:26
06/19/2020 17:32:59  06/19/2020 17:34:59  kadmin/changepw@DOMAIN.LOCAL
	renew until 06/19/2020 17:34:59
# msktutil --server ad.domain.local --precreate --computer-name toto --host toto.domain.public -b cn=computers --service HTTP --description "Host account for wapt server" --enctypes 24 -N
No computer account for toto found, creating a new one.
# msktutil --server ad.domain.local --auto-update --keytab /etc/nginx/http-krb5.keytab --computer-name toto --host toto.domain.public  -N
# chmod 640 /etc/nginx/http-krb5.keytab; chown root:www-data /etc/nginx/http-krb5.keytab
Let's check:

Code: Select all

ktutil
read_kt /etc/nginx/http-krb5.keytab
list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3                          toto$@DOMAIN.LOCAL
   2    3                          toto$@DOMAIN.LOCAL
   3    3                          toto$@DOMAIN.LOCAL
   4    3                          TOTO$@DOMAIN.LOCAL
   5    3                          TOTO$@DOMAIN.LOCAL
   6    3                          TOTO$@DOMAIN.LOCAL
   7    3                      host/toto@DOMAIN.LOCAL
   8    3                      host/toto@DOMAIN.LOCAL
   9    3                      host/toto@DOMAIN.LOCAL
  10    3    HTTP/toto.domain.public@DOMAIN.LOCAL
  11    3    HTTP/toto.domain.public@DOMAIN.LOCAL
  12    3    HTTP/toto.domain.public@DOMAIN.LOCAL
We restart the post-conference by enabling Kerberos authentication

Code: Select all

/opt/wapt/waptserver/scripts/postconf.sh --force-https
The next step was not tested on a "normal" workstation but on the workstation responsible for creating the agent. The CA and CS certificates had already been created during previous installations.

On the Windows 10 PC:

Code: Select all

C:\Windows\system32>klist get HTTP/toto.domain.public

LogonId est 0:0x2c7b3b
Un ticket pour HTTP/toto.domain.public a été récupéré.

Tickets mis en cache : (3)

#0>     Client : admin-user @ DOMAIN.LOCAL
        Serveur : krbtgt/DOMAIN.LOCAL @ DOMAIN.LOCAL
        Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de tickets 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Heure de démarrage : 6/19/2020 17:42:39 (Local)
        Heure de fin :   6/20/2020 3:42:39 (Local)
        Heure de renouvellement : 6/26/2020 9:21:31 (Local)
        Type de clé de session : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de cache : 0x1 -> PRIMARY
        KDC appelé : adserver.domain.local

#1>     Client : admin-user @ DOMAIN.LOCAL
        Serveur : HTTP/toto.domain.public @ DOMAIN.LOCAL
        Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de tickets 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Heure de démarrage : 6/19/2020 17:42:39 (Local)
        Heure de fin :   6/20/2020 3:42:39 (Local)
        Heure de renouvellement : 6/26/2020 9:21:31 (Local)
        Type de clé de session : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de cache : 0
        KDC appelé : adserver.domain.local

#2>     Client : admin-user @ DOMAIN.LOCAL
        Serveur : HTTP/toto.domain.local @ DOMAIN.LOCAL
        Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de tickets 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Heure de démarrage : 6/19/2020 9:21:31 (Local)
        Heure de fin :   6/19/2020 19:21:31 (Local)
        Heure de renouvellement : 6/26/2020 9:21:31 (Local)
        Type de clé de session : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de cache : 0
        KDC appelé : adserver.domain.local


We uninstall WAPT, we reinstall waptsetup-tis.
By default, the console attempts to register (add_host) the client, requesting the admin password => cancel
Copy the license file to C:\Program Files (x86)\wapt\licenses
We copy the certificates we created earlier into C:\Program Files (x86)\wapt\ssl

We modify the C:\Program Files (x86)\wapt\log\waptservice.log file to enable Kerberos:

Code: Select all

use_kerberos=1
We restart the WAPT service and then, in C:\Program Files (x86)\wapt\log\waptservice.log:

Code: Select all

Serving on http://client.domain.local:8088
2020-06-19 17:42:23,803 [waptws         ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID 4C4C4544-. Please register first.',)
Get packages index
u'2 paquet(s) dans le d\xe9p\xf4t\nLe syst\xe8me est \xe0 jour'
2020-06-19 17:42:36,398 [waptcore       ] WARNING Host on the server is not known or not known under this FQDN name (known as None). Trying to register the computer...
	System Power Controls
2020-06-19 17:43:23,960 [waptws         ] WARNING Websocket connect params: Unable to get auth token: Error on server:
EWaptAuthenticationFailure(u'Unknown host UUID 4C4C4544-. Please register first.',)
WAPT Enterprise Server: 2.6.0.17343 / Server OS: Debian bookworm /
Administration/package creation machine OS: macOS 15
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

June 20, 2020 - 12:49

marcolefo wrote: June 19, 2020 - 3:47 PM Actually, wapt.domain.fr is a CNAME record for nomdns.domain.fr...
As in the examples, I don't have the real DNS names, so it's complicated to find your way around.

Basically, whether it's a CNAME or an A record, it doesn't matter; the DNS name used by your agent (the one in wapt-get.ini in wapt_server) must appear in the ktutil read output in the form of:

Code: Select all

HTTP/nomdns.fqdn@DOMAIN.LOCAL
It is also necessary that the order

Code: Select all

klist get HTTP/nomdns.fqdn@DOMAIN.LOCAL
Your agent is working.
If it works.
You can test with a psexec:

Code: Select all

psexec -s -i cmd
klist purge
wapt-get register
Attention! It's very easy to get lost by restarting the process multiple times (creation problems, etc.). If you want to start with a clean slate, you can follow this procedure:

On the wapt server:

Code: Select all

rm -f /etc/nginx/http-krb5.keytab
On AD:
Deletion of wapt computer account

On your Windows test machine:

Code: Select all

psexec -s -i cmd
klist purge
High
marcolefo
Messages: 27
Registration: Oct 02, 2018 - 11:13

June 23, 2020 - 4:45 PM

Great! We're making progress.

It's still not working, but it's progress. I was able to add the CNAME to the keytab by forcing the service --HTTP service/wapt.domain.public

Code: Select all

 msktutil --server ad.domain.local --precreate --computer-name toto --host wapt.domain.public -b cn=computers --service HTTP/wapt.domain.public --description "Host account for wapt server" --enctypes 24 -N
Thanks for the advice about purging, I think that was what was blocking me...

Now if I do a wapt-get register:

Code: Select all

wapt-get register
Using config file: C:\Program Files (x86)\wapt\wapt-get.ini
Registering host against server: https://wapt.domain.public
        System Power Controls
FATAL ERROR : HTTPError: 403 Client Error: Forbidden for url: https://wapt.domain.public/add_host_kerberos
In debug mode...

Code: Select all

wapt-get register -l debug
Current loglevel : DEBUG
2020-06-23 16:41:55,690 DEBUG Default encoding : ascii
2020-06-23 16:41:55,691 DEBUG Setting encoding for stdout and stderr to cp850
2020-06-23 16:41:55,697 DEBUG Python path ['C:\\Program Files (x86)\\wapt', 'C:\\Program Files (x86)\\wapt', 'C:\\Program Files (x86)\\wapt\\python27.zip', 'C:\\Program Files (x86)\\wapt\\DLLs', 'C:\\Program Files (x86)\\wapt\\lib', 'C:\\Program Files (x86)\\wapt\\lib\\plat-win', 'C:\\Program Files (x86)\\wapt\\lib\\lib-tk', 'C:\\Program Files (x86)\\wapt', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\pywin32-227-py2.7-win32.egg', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\win32', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\win32\\lib', 'C:\\Program Files (x86)\\wapt\\lib\\site-packages\\Pythonwin']
2020-06-23 16:41:55,698 INFO Using local waptservice configuration C:\Program Files (x86)\wapt\wapt-get.ini
2020-06-23 16:41:55,698 DEBUG Config file: C:\Program Files (x86)\wapt\wapt-get.ini
Using config file: C:\Program Files (x86)\wapt\wapt-get.ini
2020-06-23 16:41:55,711 DEBUG Thread 8048 is connecting to wapt db
2020-06-23 16:41:55,799 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\4C4C4544-0051-4C10-804C-B7C04F443033.pem for repo global auth
2020-06-23 16:41:55,841 DEBUG Thread 8048 is connecting to wapt db
2020-06-23 16:41:55,842 DEBUG DB Start transaction
2020-06-23 16:41:55,842 DEBUG DB commit
2020-06-23 16:41:55,934 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\4C4C4544-0051-4C10-804C-B7C04F443033.pem for repo wapt auth
2020-06-23 16:41:55,973 INFO Main repository: https://wapt.domain.public/wapt
2020-06-23 16:41:56,112 DEBUG Using host certificate C:\Program Files (x86)\wapt\private\4C4C4544-0051-4C10-804C-B7C04F443033.pem for repo wapt-host auth
2020-06-23 16:41:56,153 INFO User Groups:[]
2020-06-23 16:41:56,153 DEBUG WAPT base directory : C:\Program Files (x86)\wapt
2020-06-23 16:41:56,154 DEBUG Package cache dir : C:\Program Files (x86)\wapt\cache
2020-06-23 16:41:56,154 DEBUG WAPT DB Structure version;: 20200415
Registering host against server: https://wapt.domain.public
2020-06-23 16:41:56,154 DEBUG DB Start transaction
2020-06-23 16:41:56,158 DEBUG DB commit
2020-06-23 16:41:56,181 DEBUG DB Start transaction
2020-06-23 16:41:56,183 DEBUG DB commit
2020-06-23 16:41:56,186 DEBUG DB Start transaction
2020-06-23 16:41:56,187 DEBUG DB commit
2020-06-23 16:41:56,467 DEBUG Unable to GET username from SID S-1-5-21-105001 : (1332, 'LookupAccountSid', 'Le mappage entre les noms de compte et les ID de s\xe9curit\xe9 n\x92a pas \xe9t\xe9 effectu\xe9.'), using profile directory instead
2020-06-23 16:41:56,470 DEBUG Unable to GET username from SID S-1-5-21-105001 : (1332, 'LookupAccountSid', 'Le mappage entre les noms de compte et les ID de s\xe9curit\xe9 n\x92a pas \xe9t\xe9 effectu\xe9.'), using profile directory instead
2020-06-23 16:41:56,525 DEBUG DB Start transaction
2020-06-23 16:41:56,529 DEBUG DB commit
2020-06-23 16:41:56,535 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,538 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,539 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,540 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,543 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,548 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,552 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,555 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,559 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,565 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,569 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,573 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,581 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,586 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,592 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,598 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,605 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,612 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,619 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,628 DEBUG Stores cert chain check in cache
2020-06-23 16:41:56,740 INFO Run "dmidecode -q"
2020-06-23 16:41:56,749 INFO dmidecode -q command returns code 0
        System Power Controls
2020-06-23 16:41:59,147 DEBUG Loading ssl context with cert C:\Program Files (x86)\wapt\private\4C4C4544-0051-4C10-804C-B7C04F443033.crt and key C:\Program Files (x86)\wapt\private\4C4C4544-0051-4C10-804C-B7C04F443033.pem
2020-06-23 16:41:59,153 DEBUG Starting new HTTPS connection (1): wapt.domain.public:443
2020-06-23 16:41:59,171 DEBUG https://wapt.domain.public:443 "POST /add_host_kerberos HTTP/1.1" 401 195
2020-06-23 16:41:59,174 DEBUG https://wapt.domain.public:443 "POST /add_host_kerberos HTTP/1.1" 401 195
2020-06-23 16:41:59,174 DEBUG handle_401(): Handling: 401
2020-06-23 16:41:59,177 DEBUG authenticate_user(): Authorization header: Negotiate YIIGSAYJKoZIhvcSAQICAQBuggY3MIIGM6ADAgEFoQMCAQ6iBwMFACAAAACjggRuYYIEajCCBGagAwIBBaEJGwd
...
GsVFs2HdSnmLrsr6REVVsoU2vQVrDnDVWBWgJsaR+2XBMCdNJeZmz9rv3PHAilS3jp2/UTElocXczY3f4gSnqLhWcaJSgRSJUruPF+f9KdTy41CLb3f7gVlzvoFv4sQtGaVQyurHII3vf5Ng1uzFiVlAq8/cxU30M7ivZEwiYgv+o9dd9Ar+1Ze//32GLc4AAsbqn7gliNx06DY0g/DgkoU/mYS8982gvRybFQXn1yVo1yhIMoeI4EiM1aV1Cx3KwnrKXIQR2U9/1CWhhth89gOQJusBpv0DDA==
2020-06-23 16:41:59,178 DEBUG https://wapt.domain.public:443 "POST /add_host_kerberos HTTP/1.1" 403 169
2020-06-23 16:41:59,183 DEBUG authenticate_user(): returning <Response [403]>
2020-06-23 16:41:59,183 DEBUG handle_401(): returning <Response [403]>
2020-06-23 16:41:59,183 DEBUG handle_response(): returning <Response [403]>
2020-06-23 16:41:59,183 DEBUG handle_response() has seen 0 401 responses
2020-06-23 16:41:59,184 DEBUG handle_other(): Handling: 403
2020-06-23 16:41:59,184 DEBUG handle_other(): returning <Response [403]>
2020-06-23 16:41:59,184 DEBUG handle_response(): returning <Response [403]>
FATAL ERROR : HTTPError: 403 Client Error: Forbidden for url: https://wapt.domain.public/add_host_kerberos
Traceback (most recent call last):
  File "<string>", line 1462, in <module>
  File "<string>", line 1241, in main
  File "C:\Program Files (x86)\wapt\common.py", line 5641, in register_computer
    signer = self.get_host_certificate().cn
  File "C:\Program Files (x86)\wapt\common.py", line 1969, in post
    req.raise_for_status()
  File "C:\Program Files (x86)\wapt\lib\site-packages\requests\models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://wapt.domain.public/add_host_kerberos
Exception at 0044233C: EPyIOError:
HTTPError: 403 Client Error: Forbidden for url: https://wapt.domain.public/add_host_kerberos.
Note that before registering, I ran a `klist purge`. Here is the result of the `klist` after registering

Code: Select all

>klist

LogonId est 0:0x3e7

Tickets mis en cache : (2)

#0>     Client : client$ @ DOMAIN.LOCAL
        Serveur : krbtgt/DOMAIN.LOCAL @ DOMAIN.LOCAL
        Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de tickets 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Heure de démarrage : 6/23/2020 16:59:29 (Local)
        Heure de fin :   6/24/2020 2:59:29 (Local)
        Heure de renouvellement : 6/30/2020 16:59:29 (Local)
        Type de clé de session : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de cache : 0x1 -> PRIMARY
        KDC appelé : adserver.domain.local

#1>     Client : client$ @ DOMAIN.LOCAL
        Serveur : HTTP/wapt.domain.public @ DOMAIN.LOCAL
        Type de chiffrement KerbTicket : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de tickets 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Heure de démarrage : 6/23/2020 16:59:29 (Local)
        Heure de fin :   6/24/2020 2:59:29 (Local)
        Heure de renouvellement : 6/30/2020 16:59:29 (Local)
        Type de clé de session : AES-256-CTS-HMAC-SHA1-96
        Indicateurs de cache : 0
        KDC appelé : adserver.domain.local
We're getting close, aren't we?
WAPT Enterprise Server: 2.6.0.17343 / Server OS: Debian bookworm /
Administration/package creation machine OS: macOS 15
High
marcolefo
Messages: 27
Registration: Oct 02, 2018 - 11:13

June 23, 2020 - 5:46 PM

And there you have it, after a quick call to support, it works! :)

The post above was perfectly fine, but with all my attempts I had simply forgotten to set the correct permissions on the keytab

Code: Select all

chmod 640 /etc/nginx/http-krb5.keytab; chown root:www-data /etc/nginx/http-krb5.keytab
WAPT Enterprise Server: 2.6.0.17343 / Server OS: Debian bookworm /
Administration/package creation machine OS: macOS 15
High
Locked

Return to "WAPT Server"


  • To go further with WAPT