[SOLVED] Configuration: two forests, two domains, one WAPT server
Published: January 6, 2025 - 10:55 AM
Hello everyone! I'll try to keep it simple. Here's my new project, which involves several domains:
My setup: On my main Windows Server 2022 Hyper-V server, I have an existing and functional AD DS DNS VM with the "efv2.efv2.ad" forest and "efv2.ad" domain. I also have a functional Debian VM with NGINX for WAPT Enterprise 2.5, connected via another Debian VM with NGINX reverse proxy stream and a functional HTTPS secure by password interface. So far, so good.
I now have a second AD DS DNS VM on my main server with another functional "lifv.lifv.ad" forest and "lifv.ad" domain. My new client machines can be added to either of these domains.
My question: I saw in the documentation that I need to add a .keytab, but before I mess things up as usual, I'd prefer to check with you.
I'm getting confused about Kerberos and the keytab. Do I need to put the public URL of my online server: https://www.srvwapt.lifv.lt/ like HTTP/-URL-.domain.local.keytab = HTTP/srvwapt.lifv.lt.lifv.ad + HTTP/srvwapt.lifv.lt.efv2.ad? Or is it none of that since the UPN also adds the domain?
Do I need to change the SPN of two computer clients and two user clients in both ADs?
On the interface, do I need to change the deployment and add a new --hash to create a new GPO in my second domain?
In my new AD DS VM, do I need to create an account for the WAPT server machine?
Any help would be greatly appreciated
!
Thanks, have a good day!
Sylvain
My setup: On my main Windows Server 2022 Hyper-V server, I have an existing and functional AD DS DNS VM with the "efv2.efv2.ad" forest and "efv2.ad" domain. I also have a functional Debian VM with NGINX for WAPT Enterprise 2.5, connected via another Debian VM with NGINX reverse proxy stream and a functional HTTPS secure by password interface. So far, so good.
I now have a second AD DS DNS VM on my main server with another functional "lifv.lifv.ad" forest and "lifv.ad" domain. My new client machines can be added to either of these domains.
My question: I saw in the documentation that I need to add a .keytab, but before I mess things up as usual, I'd prefer to check with you.
I'm getting confused about Kerberos and the keytab. Do I need to put the public URL of my online server: https://www.srvwapt.lifv.lt/ like HTTP/-URL-.domain.local.keytab = HTTP/srvwapt.lifv.lt.lifv.ad + HTTP/srvwapt.lifv.lt.efv2.ad? Or is it none of that since the UPN also adds the domain?
Do I need to change the SPN of two computer clients and two user clients in both ADs?
On the interface, do I need to change the deployment and add a new --hash to create a new GPO in my second domain?
In my new AD DS VM, do I need to create an account for the WAPT server machine?
Any help would be greatly appreciated
!Thanks, have a good day!
Sylvain
