none
Setting up a test Windows Server + Active Directory for Kerberos testing

    Question

  • My company wants me to set up a POC of a working Gitlab with Kerberos integration. They want me to set up a totally isolated test where I set up a test windows server with active directory domain, enable kerberos, then show how a user logged into the domain can automatically be authenticated with gitlab.

    Gitlab is hosted on a Windows Server 2016 instance.

    Users will be logged into their own workstations plugged into the domain.

    So I have created a Windows Server 2016 VM set up with Active Directory domain. Works fine.

    But now I'm stuck.

    I know I need these inputs

    Realm - for example:

    EXAMPLE.COM

    Service principal - for example:

    HTTP/gitlab.example.com@EXAMPLE.COM

    Keytab file - for example:

    c:\keys\example.keytab

    Is there a simple set of steps I can perform to

    • Configure the Windows server instance / active directory to allow kerberos auth?
    • Generate the realm, service principal and keytab files?

    The docs I'm finding are all pretty "production" usage i'm just doing a single VM test.

    The best one I can find so far is https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.0.0/com.ibm.websphere.nd.doc/info/ae/ae/tsec_kerb_create_spn.html but it's pretty hard to translate to the steps I'll actually need

    Thursday, November 2, 2017 9:39 PM

Answers

  • Since we worked together on the stackoverflow question, closing the loop here...

    The error “Defective token detected” likely means that an NTLM token was detected. That’s what the Negotiate mechanism uses inside popular web browsers if kerberos fails - when not instructed by the web server otherwise.  On windows operating systems, the IE web browser on it (and Firefox, if configured correctly) basically says, if you won’t do Kerberos, I’m going to send you an NTLM token.  And the server replies “no way” I don’t even know NTLM so I’m calling what you sent me defective.

    When we looked at the new ktpass keytab creation output in the stackoverflow question, saw this: “Targeting domain controller: WIN-OVV6VHBGIB8.fusionis.life.”  This was in contrast to he defined SPN in the keytab which was HTTP/kerberos500.nickis.life.  As Tthe AD domain name was different from the SPN defined, this is not going to work unless there was some kind of trust setup between the domains.  Since you didn't have a trust, you needed to use an SPN of HTTP/kerberos500.fusionis.life instead.



    Best Regards, Todd Heron | Active Directory Consultant

    Sunday, December 31, 2017 3:08 PM

All replies

  • Hi,

    I am trying to involve someone familiar with this topic to further look at this query. There might be some time delay. Appreciate your patience.
    Thank you for your understanding and support.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 3, 2017 1:52 AM
  • Configure the Windows server instance / active directory to allow kerberos auth?

    > Nothing. Things are working out of the box. Depending on the version of your domain controller, legacy encryption will be disabled though (3DES for Kerberos is disabled by default since Windows Server 2008 R2).

    Generate the realm, service principal and keytab files?

    > The realm is just the DNS name of your AD domain. The SPN is the SPN you want as long as the client can built a request for it. So in your example, it would be the SPN of a web service accessed by a client typing http://gitlab.example.com  (or https://) for example in IE or Edge. To create the Keytab file, you can use the builtin tool KTPASS. Info and examples here: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, November 3, 2017 2:25 PM
  • Hi Pierre, I keep getting stuck by an error from our security library complaining that Defective token detected (Mechanism level: GSSHeader did not find the right tag)

    I am trying to decipher what "Defective token" means. Do you have any ideas for what i'm missing?

    Here is a full description of my issue: https://stackoverflow.com/questions/47227276/gssexception-when-trying-to-authenticate-to-tomcat-running-on-windows-using-kerb  

    Friday, November 10, 2017 4:43 PM
  • Since we worked together on the stackoverflow question, closing the loop here...

    The error “Defective token detected” likely means that an NTLM token was detected. That’s what the Negotiate mechanism uses inside popular web browsers if kerberos fails - when not instructed by the web server otherwise.  On windows operating systems, the IE web browser on it (and Firefox, if configured correctly) basically says, if you won’t do Kerberos, I’m going to send you an NTLM token.  And the server replies “no way” I don’t even know NTLM so I’m calling what you sent me defective.

    When we looked at the new ktpass keytab creation output in the stackoverflow question, saw this: “Targeting domain controller: WIN-OVV6VHBGIB8.fusionis.life.”  This was in contrast to he defined SPN in the keytab which was HTTP/kerberos500.nickis.life.  As Tthe AD domain name was different from the SPN defined, this is not going to work unless there was some kind of trust setup between the domains.  Since you didn't have a trust, you needed to use an SPN of HTTP/kerberos500.fusionis.life instead.



    Best Regards, Todd Heron | Active Directory Consultant

    Sunday, December 31, 2017 3:08 PM