Kerberos and multiple SPNs

Question

I managed to setup Kerberos authentication for 1 server and is up and running ok. Now I have a project where I have to add another server to Kerberos configuration as follow:

1) AD server

2) server1 where service is running

3) server2 where same service will be running

so I executed setspn command to assing both to single "spn" user:

setspn -s serviceX/server1.domain.com@DOMAIN.COM spn

setspn -s serviceX/server2.domain.com@DOMAIN.COM spn

Then I executed comman ktpass:

ktpass -princ serviceX/server1.domain.com@DOMAIN.COM -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -mapuser serviceX\spn -out C:\keytab +rndPass

What should I do next to make it work? How to execute ktpass for server2? When I tried same command for server2 I'm getting Warning:

Warning: Failed to set UPN serviceX/server2.domain.com ptype 1 vno 10 etype 0x12 kinits to "serviceX/server2.domain.com" will fail.

How do you guys setup kerberos authentication for same service but on different servers? Do you create 2 spn users and 2 keytabs? I think I need to have everything in 1 keytab as the service requires it. Any help?

Answer 1

You can run serviceX on the two different servers using the same keytab by using an SPN tied to a user account in the Directory rather than to each of the servers. To do this, you tie the SPN to a virtual server name (aka a "VIP") instead of a real one. We do this all the time at my current organization. So since the SPN would use a virtual server name in DNS, you just configure the load-balancer to send any queries for that virtual name to the real servers behind it "answering" to that name. So in this case, instead of worrying about having unique keytabs for both server1 and server2, your just create one keytab for what I'll refer to as server-vip, and then copy that same keytab to both servers. If you don't have a load balancer then you can do this just using DNS round robin. So the below example would be your new keytab creation syntax, notice how only one thing changes. Another reason why this is good is because it is resilient to to server changes. When you eventually decommission server1 and server2, you can easily just copy the keytab to server3 and server4 when that day comes.

ktpass -princ serviceX/server-vip.domain.com@DOMAIN.COM -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -mapuser serviceX\spn -out C:\keytab +rndPass

Answer 2

friend...

when you try bind the SPN:

serviceX/server-vip.domain.com@DOMAIN.COM

with the UPN

spn

The error: kinits to "serviceX/server2.domain.com" will fail. indicate some problem, but not exactly where or how. I had the same problem today, but another log revealed the main cause of the error:

Failed to set property 'userPrincipalName'

When we try generate the keytab with ktpass, this message is displayed, what we don't imagine, is that the UPN object have so many attributes, one of them is UserPrincipalName. So why we cant set the attribute UserPrincipalName with "spn" value? because it already configured in another UPN attribute! unhappiness you will need verify all attributes of yours UPN, searching for "spn" value.

you can use adsiedit to manual search:

adsiedit.msc

or make a loop with users searching for userPrincipalName attribute:

$users = get-aduser -filter *
foreach ($var in $users) { $var | select Name, UserprincipalName | fl }

I solved my problem finding my "UserPrincipalName" attribute wrong configured in another UPN.

► Each UserPrincipalName need be configured with the same name of your UPN.

UPN=s_user_http, then UserPrincipalName=s_user_http@YOUR_DOMAIN, verify this!

answering your question: one UPN can be a multiples SPN, but its dangerous, if you increment the kvno accidentally, all anothers keytabs will be invalidate. Use one UPN for each SPN.

I hope this help.