none
SPN for ldap cross forest search

    Question

  • Hi,

    I am trying to do a ldap cross forest search using GSSAPI kerberos.  I have two independent forests showdomain.com and showdomain2.com and they are trust to each other.  From my program, I used a credential from showdomain.com and set the search path to showdomain2.com.  Wireshark showed this krb5 message returned by showdomain2.com:

    

    I checked the domain controller (host DC1) of showdomain2.com and it didn't have the SPN for ldap/showdomain2.com and I added following SPN:

    setspn -S ldap/showmain2.com DC1

    The search worked after I added the SPN. But after about one minute, the above SPN entry was deleted by the system.

    DC1.showdomain2.com has the following SPN for ldap:

            ldap/aaabbfab-4d4b-48ff-98f6-6d2d1455cf52._msdcs.showdomain2.com
            ldap/DC1
            ldap/DC1.showdomain2.com
            ldap/DC1.showdomain2.com/DomainDnsZones.showdomain2.com
            ldap/DC1.showdomain2.com/ForestDnsZones.showdomain2.com
            ldap/DC1.showdomain2.com/SHOWDOMAIN2
            ldap/DC1.showdomain2.com/showdomain2.com
            ldap/DC1/SHOWDOMAIN2

    krb5.conf that i used:

    [libdefaults]
            default_realm = SHOWDOMAIN.COM
    	default_checksum = rsa-md5
    #default_checksum = crc32
    
    [realms]
            SHOWDOMAIN.COM = {
                    kdc = showdc1.showdomain.com
            }
            SHOWDOMAIN2.COM = {
                    kdc = dc1.showdomain2.com
            }
    
    [domain_realm]
    	.showdomain.com = SHOWDOMAIN.COM
            showdomain.com = SHOWDOMAIN.COM
            .showdomain2.com = SHOWDOMAIN2.COM
            showdomain2.com = SHOWDOMAIN2.COM
    
    ...
    
    [capaths]
        SHOWDOMAIN.COM = {
            SHOWDOMAIN2.COM = .
        }
        SHOWDOMAIN2.COM = {
            SHOWDOMAIN.COM = .
        }

    Do you know why?  I am new to SPN and Kerberos, any suggestion will be much appreciated.

    Thanks

      


    Wednesday, January 3, 2018 11:27 PM

Answers

  • Hi,

    By default, The DC doesn’t have the SPN like ldap/domain name registered. Thus, the way you performed LDAP search for showdomain2.com was not allowed.  You may need to modify you code to let client bind to the DC in showdomain2.com directly. Here is an article for your reference.


    How the Kerberos Version 5 Authentication Protocol Works: Logon and Authentication

    https://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Tuesday, January 9, 2018 6:12 AM

All replies

  • Hi

    This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
    If you have any updates during this process, please feel free to let me know.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 4, 2018 7:29 AM
  • Hi,

    Based on the complexity and the specific situation, we need do more researches. If we have any updates or any thoughts about this issue, we will keep you posted as soon as possible. Your kind understanding is appreciated. If you have further information during this period, you could post it on the forum, which help us understand and analyze this issue comprehensively.
    Sorry for the inconvenience and thank you for your understanding and patience.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 9, 2018 1:44 AM
  • Hi,

    By default, The DC doesn’t have the SPN like ldap/domain name registered. Thus, the way you performed LDAP search for showdomain2.com was not allowed.  You may need to modify you code to let client bind to the DC in showdomain2.com directly. Here is an article for your reference.


    How the Kerberos Version 5 Authentication Protocol Works: Logon and Authentication

    https://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Tuesday, January 9, 2018 6:12 AM
  • Hi William,

    Thanks for your help.  In my application, I binded to ldap://ShowDC1.showdomain.com:3268 and specified a search base in showdomain2.com (different forest).  During the search, my application received a ldap referral to showdomain2.com and the ldap library implicitly issued a TGS-REQ to showdmain2.com.  My application did not have code to bind to showdomain2.com.   May be there is a setting problem in my krb5.conf?

    [libdefaults]
            default_realm = SHOWDOMAIN.COM
    	default_checksum = rsa-md5
    #default_checksum = crc32
    
    [realms]
            SHOWDOMAIN.COM = {
                    kdc = showdc1.showdomain.com
            }
            SHOWDOMAIN2.COM = {
                    kdc = dc1.showdomain2.com
            }
    
    [domain_realm]
    	.showdomain.com = SHOWDOMAIN.COM
            showdomain.com = SHOWDOMAIN.COM
            .showdomain2.com = SHOWDOMAIN2.COM
            showdomain2.com = SHOWDOMAIN2.COM
    
    ...
    
    [capaths]
        SHOWDOMAIN.COM = {
            SHOWDOMAIN2.COM = .
        }
        SHOWDOMAIN2.COM = {
            SHOWDOMAIN.COM = .
        }

    Thanks

    Patrick


    Tuesday, January 9, 2018 6:03 PM
  • Hi,

    Attached is the ldap referral message from showdomain.com to my application.  It was referring to "showdomain2.com" without the hostname of the DC. After that java GSSAPI tried to access the krb5 service credential for ldap/showdomain2.com@SHOWDOMAIN2.COM


    Jan  9 11:12:29 Found ticket for Administrator@SHOWDOMAIN.COM to go to krbtgt/SHOWDOMAIN.COM@SHOWDOMAIN.COM expiring on Tue Jan 09 21:12:28 PST 2018
    Jan  9 11:12:29 Entered Krb5Context.initSecContext with state=STATE_NEW
    Jan  9 11:12:29 Found ticket for Administrator@SHOWDOMAIN.COM to go to krbtgt/SHOWDOMAIN.COM@SHOWDOMAIN.COM expiring on Tue Jan 09 21:12:28 PST 2018
    Jan  9 11:12:29 Found ticket for Administrator@SHOWDOMAIN.COM to go to ldap/showdc1.showdomain.com@SHOWDOMAIN.COM expiring on Tue Jan 09 21:12:28 PST 2018
    Jan  9 11:12:29 Service ticket not found in the subject
    Jan  9 11:12:29 >>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/SHOWDOMAIN2.COM@SHOWDOMAIN.COM
    Jan  9 11:12:29 Using builtin default etypes for default_tgs_enctypes
    Jan  9 11:12:29 default etypes for default_tgs_enctypes: 18 17 16 23.
    Jan  9 11:12:29 >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
    Jan  9 11:12:29 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
    Jan  9 11:12:29 >>> KrbKdcReq send: kdc=showdc1.showdomain.com UDP:88, timeout=30000, number of retries =3, #bytes=1456
    Jan  9 11:12:30 >>> KDCCommunication: kdc=showdc1.showdomain.com UDP:88, timeout=30000,Attempt =1, #bytes=1456
    Jan  9 11:12:30 >>> KrbKdcReq send: #bytes read=1440
    Jan  9 11:12:30 >>> KdcAccessibility: remove showdc1.showdomain.com
    Jan  9 11:12:30 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
    Jan  9 11:12:30 >>> Credentials acquireServiceCreds: got tgt
    Jan  9 11:12:30 >>> Credentials acquireServiceCreds: got right tgt
    Jan  9 11:12:30 >>> Credentials acquireServiceCreds: obtaining service creds for ldap/showdomain2.com@SHOWDOMAIN2.COM
    Jan  9 11:12:30 Using builtin default etypes for default_tgs_enctypes
    Jan  9 11:12:30 default etypes for default_tgs_enctypes: 18 17 16 23.
    Jan  9 11:12:30 >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
    Jan  9 11:12:30 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
    Jan  9 11:12:30 >>> KrbKdcReq send: kdc=dc1.showdomain2.com UDP:88, timeout=30000, number of retries =3, #bytes=1456
    Jan  9 11:12:30 >>> KDCCommunication: kdc=dc1.showdomain2.com UDP:88, timeout=30000,Attempt =1, #bytes=1456
    Jan  9 11:12:30 >>> KrbKdcReq send: #bytes read=100
    Jan  9 11:12:30 >>> KdcAccessibility: remove dc1.showdomain2.com
    Jan  9 11:12:30 >>> KDCRep: init() encoding tag is 126 req type is 13
    Jan  9 11:12:30 >>>KRBError:
    Jan  9 11:12:30 sTime is Tue Jan 09 11:12:26 PST 2018 1515525146000
    Jan  9 11:12:30 suSec is 838509
    Jan  9 11:12:30 error code is 7
    Jan  9 11:12:30 error Message is Server not found in Kerberos database
    Jan  9 11:12:30 sname is ldap/showdomain2.com@SHOWDOMAIN2.COM
    Jan  9 11:12:30 msgType is 30
    Jan  9 11:12:30 KrbException: Server not found in Kerberos database (7)
    Jan  9 11:12:30 KrbException: Fail to create credential. (63) - No service creds
    Jan  9 11:12:30 at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:156)
    
    Thanks

    • Edited by Patrick2000 Tuesday, January 9, 2018 7:52 PM
    Tuesday, January 9, 2018 7:50 PM
  • Hi,

    Please understand I have no coding experience in JAVA.

    May I know what LDAP search was sent to the DC in showdomain.com? Can client in the showdomain.com bind to the DC in the showdomain2.con directly? Maybe the referral message will be different.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 10, 2018 10:13 AM
  • Hi William,

    The LDAP search that I sent to "ldap://ShowDC1.showdomain.com:3268" was

    ctx.search("OU=XYZ,DC=showdomain2,DC=com", "(&(objectClass=group)(objectCategory=group))", searchCtls);

    The search's context is set to an OU in showdomain2 (OU=XYZ,DC=showdomain2,DC=com)

    searchCtls set the Context.REFERRAL = "follow"

    The client did not bind to the showdmain2.com directly.  It is the referral which redirected the search() to showdomain2.com

    Thanks

    Patrick

    Wednesday, January 10, 2018 11:12 PM
  • Hi,

    You can try to use NTLM for authentication since I will check the SPN.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 11, 2018 1:59 PM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,
    William

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 15, 2018 7:11 AM
  • Hi William,

    I still need to find out why the LDAP referral from ShowDC1 caused java's GSSAPI library to connect to the referred DC by using the DC's domain name instead of the DC' FQDN in the kerberos.  I will post the question in a Java/ldap forum.  Thanks for all your help.

    Patrick

    Tuesday, January 16, 2018 1:38 AM
  • Hi,

    Thanks for letting us know your current progress. Hope you could get a solution from Java/ldap Forum. Have a nice day.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, January 16, 2018 5:51 AM