Kerberos authentication on encryption type AES-256 SHA1

For the ServicePrincipalName (SPN) registration:

If Kerberos RC-4 HMAC is in use, everything set up to date must be removed (steps 1 and 2). If Kerberos is being used for the first time, then start from step 3.

  1. Clean up the existing ServicePrincipalName (SPN) (the command must be run by a domain administrator):

    setspn -U -D HTTP/aeneisserver.intellior.de KerbereosSPNUser
  2. Delete the existing KerbereosSPN user from the Active Directory completely

  3. Create a new user in Active Directory

  4. In the Account tab, enable the option This account supports Kerberos AES 256-bit encryption for the user.

  5. Enable the Password never expires option for the user

  6. On the domain controller (DC), log in as the domain administrator:

  7. Run the terminal/CMD as administrator

  8. Run the following command:

    Note: Keep the upper and lower case of the domain names the same as in the example.

    ktpass /princ HTTP/aeneisserver.domain.de@DOMAIN.DE /mapuser 
    KerbereosSPNUser@DOMAIN.COM /pass Secretpassword /out 
    C:\krb5.keytab /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1
    • 1st line: adjust aeneisserver.domain.de@DOMAIN.DE accordingly

    • 2nd line: adjust KerberosSPNUSER@DOMAIN.DE and Secretpassword adjust accordingly


    This command also sets the SPN at the same time. The krb5.keytab file is then placed in the Aeneis application directory.

  9. After executing the command, check the following:

    • By running the command, the SPN for http/aeneisserver.domain.de must be automatically set to KerberosSPNUser. If not, the command was not successful.

    • By executing the command, the AD user is automatically customized. If not, the command was not successful.

    Example: The command is executed as follows:

    ktpass /princ HTTP/int-flexcloud0001.bpm-flexcloud.de@INTELLIOR.de /mapuser
    ssoflex01@INTELLIOR.DE /pass password /out C:\krb5.keytab /ptype
    KRB5_NT_PRINCIPAL /crypto AES256-SHA1

    The user changes as follows:

     

  10. Create the file login.conf in the Aeneis application directory with the following content:

    Note: Keep upper/lower case to the entry principal as in the example

    AENEISClient { 
    	com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true; 
    }; 
    spnego-client { 
    	com.sun.security.auth.module.Krb5LoginModule required; 
    }; 
    spnego-server { 
    	com.sun.security.auth.module.Krb5LoginModule required 
    	storeKey=true 
    	isInitiator=false 
    	useKeyTab=true 
    	keyTab="file:///C:/aeneisserver_config/krb5.keytab"<mtlingo type=" 
    	" prevChar="" nextChar="p" />principal="HTTP/aeneisserver.domain.com@DOMAIN.COM";<mtlingo type=" 
    " prevChar=";" nextChar="" />};
  1. In the krb5.conf file that already exists in the application directory, modify the following:

    Note: Keep upper/lower case of the domain names exactly as in the example

    [libdefaults] 
    	default_realm = DOMAIN.COM 
    	default_tkt_enctypes = aes256-cts-hmac-sha1-96 
    	default_tgs_enctypes = aes256-cts-hmac-sha1-96 
    	permitted_enctypes = aes256-cts-hmac-sha1-96 
    [realms] 
    	DOMAIN.COM = { 
    		kdc = domaincontroller.domain.com 
    		default_domain = domain.com 
    	} 
    [domain_realm] 
    	.DOMAIN.COM = DOMAIN.COM
  1. Restart the Aeneis server so that the changes take effect immediately

The commands and config files in detail:

Keytab file creation as admin on the AD:

ktpass /princ HTTP/int-pc0025.intellior.de@INTELLIOR.DE 
/mapuser ssochlis@INTELLIOR.DE /pass secretPassword 
/out C:\Path\to\krb5.keytab /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1

Documentation for ktpass: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass

login.conf:

AENEISClient { 
	com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true; 
}; 
spnego-client { 
	com.sun.security.auth.module.Krb5LoginModule required; 
}; 
spnego-server { 
	com.sun.security.auth.module.Krb5LoginModule required 
	storeKey=true 
	isInitiator=false 
	useKeyTab=true 
	keyTab="file:///C:/Path/to/krb5.keytab"<mtlingo type=" 
	" prevChar="" nextChar="p" />principal="HTTP/int-pc0025.intellior.de@INTELLIOR.DE";<mtlingo type=" 
" prevChar=";" nextChar="" />};

 

The login.conf file can be stored in the application directory.

If the file is not present, then the system will continue to work with the defaults as before.

krb5.conf

[libdefaults] 
default_realm = INTELLIOR.DE 
default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 
default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 
permitted_enctypes = AES256-CTS-HMAC-SHA1-96 
[realms] 
INTELLIOR.DE = { 
	kdc = int-dc05.intellior.de 
	default_domain = intellior.de 
} 
[domain_realm] 
.INTELLIOR.COM = INTELLIOR.COM