Tranquil IT Forum

Hello everyone,

We have had our WAPT Enterprise server (up to date) in production on an Ubuntu server (also up to date) for over a year now.

For version details:

WAPT 2.3.0.13516

Ubuntu 22.04.2 LTS

We wanted to move away from NTLM in our domain and use only Kerberos.

We therefore set about configuring WAPT with Kerberos.

- All configurations meet the prerequisites (Debian installation section)
- We followed the documentation on "strengthening the security of your WAPT server" (Except for the Firewall part which we will implement after Kerberos).

The entire "Kerberos configuration and post-configuration" process went smoothly.

However, it is now impossible to connect from the WAPT software center.

If I follow the documentation, this gives:
- use_kerberos=True is correctly enabled on both the client and server sides
- The Keytab is good and conforms to what the documentation presents
- The command "kinit -k -t /etc/nginx/http-krb5.keytab srvwapt\$@AD.TRANQUIL.IT" does indeed generate a ticket for the server (klist)
- On a client PC, using the system console and the command "wapt-get register", I can successfully register the device:

C:\windows\system32>wapt-get register
Using config file: C:\Program Files (x86)\wapt\wapt-get.ini
Registering host against server: https://srvwapt.toto.local
Host correctly registered against server https://srvwapt.toto.local.

If I run a test using the Curl command, I get an error: http/1.1 405 METHOD NOT ALLOWED:

> GET /add_host_kerberos HTTP/1.1
> Host: frscmwapt.scmlemans.com
> Authorization: Negotiate CLE_EFFACE
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 405 METHOD NOT ALLOWED
< Server: nginx
< Date: Wed, 22 Mar 2023 12:33:32 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 178
< Connection: keep-alive
< WWW-Authenticate: Negotiate KEY_ERAS
< WWW-Authenticate: Basic realm=""
< Allow: OPTIONS, POST, HEAD
< Strict-Transport-Security: max-age=63072000
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>405 Method Not Allowed</title>
<h1>Method Not Allowed</h1>
<p>The method is not allowed for the requested URL.</p>
* Connection #0 to host srvwapt.toto.local left intact

If I do the test in Firefox as mentioned once or twice on the forum, I get the same result (405 METHOD NOT ALLOWED)

If I request a ticket from a user's PC, it returns this:

C:\windows\system32>klist get https://srvwapt.toto.local

LogonId is 0:0x3e7
Error calling API LsaCallAuthenticationPackage (substatus GetTicket): 0x6fb

klist failed with 0xc000018b/-1073741429: The Windows server's SAM database does not have a computer account for the trust relationship with this workstation.

Finally, no user can now use the software center (which makes sense to me since the Kerberos request failed)
However, the admin console still works (which makes sense since it does not use Kerberos).

Sorry for the "wall of text" and thank you for reading.

If you see the message "Method Not Allowed", then everything is fine

You can also try using the following URL in your browser: For Kerberos to work on the self-service side, you must add the following to the wapt-get.ini file of your agents:
and on the Wapt server side, configure LDAP in /opt/wapt/conf/waptserver.ini

put :
then reboot the wapt server:

Hello Sfonteneau,

SO :

https://srvwapt.mydomain.lan/api/v3/login_kerberos

It initially indicates "Authentication OK":

[global]
use_kerberos=1
service_auth_type=waptserver-ldap

So that's precisely the point I wanted to raise. I've looked through the documentation and the forum extensively, and sometimes it says "1" and other times it says "True". Are both acceptable?

[options]
ldap_auth_server = srvads.mydomain.lan
ldap_auth_base_dn = DC=mydomain,DC=lan
ldap_auth_ssl_enabled = False
verify_cert_ldap = False
ldap_account_service_login = wapt-ldap@mydomain.lan
ldap_account_service_password = password

I had already tried adding them (I uncommented them but it didn't change my problem)
Does it just need a standard user account or does it require specific privileges?

Thank you for your time.

Marceld wrote: ↑March 22, 2023 - 2:59 PM

So that's precisely the point I wanted to raise. I've looked through the documentation and the forum extensively, and sometimes it says "1" and other times it says "True". Are both acceptable?

Yes, absolutely, 1 = True so you can put whatever you want

Does it just need a standard user account or does it require specific privileges?

It needs the rights to read the memberof attribute of user records (you can test this with the small ldapadmin software)

Thanks for the tool.

The user account created can indeed read the "Member Of" attribute.

If the Kerberos tests are OK but the Software Center's "SSO" is not, what could be causing this?

The only thing we haven't checked is your self-service rule package.

Is a self-service rule package installed?

Do you get an error message when you open it?

Hello,

Yes, there is a self-service package for users.

It worked fine with NTLM authentication.

It just displays "incorrect password or username" whether I enter a password or not.

I also can't open it with an account that has local administrator rights.

Have a good day.

If your agent is correctly configured in this way, it shouldn't ask for a password:
Then :

If your agent is correctly configured in this way, it shouldn't ask for a password:

Ah ok, yet in another topic you specified that the ID and password were always required if we ever needed to switch to admin.

use_kerberos=1
service_auth_type=waptserver-ldap

I can confirm that this is indeed the configuration I have on my test client.

I don't see anything in the client-side logs regarding a possible error. Is there a specific place where I could find logs about the connection attempt?

For your information, and after speaking with support over the phone:

That was a mistake on my part:

I modified the following line:

service_auth_type=waptserver-ldap

by :

service_auth_type=mywaptserver.toto.local

That was a mistake on my part; that line should not have been changed.

Thank you again for your responsiveness!

We will finally be able to get rid of NTLM