Configuring Kerberos auth when domain in FQDN does not match realm name (76954)

This article provides information on how to configure Kerberos auth when domain in the FQDN does not match the realm name (Linux Connector).

For example, consider the case where the connector FQDN is "123.example.com" and the AD domain's realm name is "INTERNAL.AD".

To make Kerberos auth work properly in this case, a user within Active Directory must be configured with a service principal name (SPN) of https://123.example.com and then a keytab entry must be created within the /etc/krb5.keytab file on the connector using the password for that user.

Previously, this has been done by using the Windows ktpass command and then merging the keytab file produced by that command with the /etc/krb5.keytab file. However, that procedure does not work.

To resolve this issue:

On a Windows host within the domain:

1. Create a user to use for this purpose.
2. Run this command on the AD: 
   
   ktpass -princ HTTP/hostname-FQDN@REALM -mapuser user@REALM -crypto ALL -pass * -pType KRB5_NT_PRINCIPAL
   
   For example, if the connector hostname-FQDN is conn.example.com, the realm is INTERNALAD and the user is someuser, then the command would be:
   
   ktpass -princ HTTP/conn.example.com@INTERNALAD -mapuser someuser@INTERNALAD -crypto ALL -pass * -pType KRB5_NT_PRINCIPAL
    
3. Run this command to obtain the KVNO:
   
   get-aduser -filter {name -like "username*"}  -prop Name,msDS-KeyVersionNumber
    
4. If /etc/krb5.keytab already exist, in the Omnissa Access connector, backup the keytab file by running this command:
   
   cp /etc/krb5.keytab /etc/krb5.keytab.backup
    
5. Run this command:
   
   /opt/likewise/bin/ktutil
    
6. If /etc/krb5.keytab already exist, run this command:
   
   read_kt /etc/krb5.keytab
    
7. Run this command:
   
   addent -password -p HTTP/hostname-FQDN@REALM -k KVNO-from-step-3 -e RC4-HMAC
   
   Note: This prompts for a password.
    
8. Run this command:
   
   write_kt /etc/krb5.keytab
    
9. Run this command:
   
   quit
    
10. Run this command:
    
    chown horizon /etc/krb5.keytab
     
11. Run this command:
    
    chmod 600 /etc/krb5.keytab
     
12. Run this command:
    
    service horizon-workspace restart
    
    Note: In step 7 above, if additional encryption types are desired, more addent commands can be run with other encryption types. Other valid encryption types include: AES256-CTS, AES128-CTS.