cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Kerberos and DNS for SAP HANA SSO

Go to solution
chris_clarke
Explorer

on ‎04-29-2015 12:26 PM

0 Kudos

Hi,

I'm following the document in Note 1837331 about setting up Kerberos for SSO with Active Directory.

When setting up the krb5.conf file, I'm having trouble getting it to find the KDC without explicitly specifying them in the file.

The document states that if the records are in DNS (and they are) then you don't need a [realms] section where you manually specify the kdc location but I can't get this to work.  If I do specify a [realms] and put a kdc line in there, it works perfectly but I'd like to utilise DNS as the system I'm configuring has 12 domain controllers and I don't want to manually specify each one and manually change each system each time a new DC is added or removed!

I've ran a tcpdump session looking for DNS queries, and when running kinit I don't see any attempts at DNS lookups.  It just fails with the below.

Password for USER@UK.EXAMPLE.COM:

com.ibm.security.krb5.KrbException, status code: 60

    message: Cannot find KDC for realm UK.EXAMPLE.COM

    at com.ibm.security.krb5.p.send(p.java:45)

    at com.ibm.security.krb5.KrbAsReq.send(KrbAsReq.java:176)

    at com.ibm.security.krb5.p.send(p.java:59)

    at com.ibm.security.krb5.KrbAsReq.send(KrbAsReq.java:130)

    at com.ibm.security.krb5.internal.tools.Kinit.a(Kinit.java:128)

    at com.ibm.security.krb5.internal.tools.Kinit.<init>(Kinit.java:66)

    at com.ibm.security.krb5.internal.tools.Kinit.main(Kinit.java:12)

com.ibm.security.krb5.KrbException, status code: 60

    message: Cannot find KDC for realm UK.EXAMPLE.COM

Has anyone made this work?

Kind Regards

Chris

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Jonathan_Haun
Participant
‎05-04-2015 2:54 PM
0 Kudos

See Below. Assuming that the DNS server configured for the SAP HANA is Windows based and setup for Active Directory, simply querying the domain name should return an available Active Directory KDC. I always have to add something similar to the following (below) to the krb5.conf. You could also use yast to configure the kerberos client. It will create a descent krb5.conf for you. It will also make sure all of the libraries are installed.

Example:

[realms]

DOMAIN.COM = {

                kdc = DOMAIN.COM

                default_domain = DOMAIN.COM

                admin_server = DOMAIN.COM

}

Show replies
Show replies
chris_clarke
Explorer
‎05-06-2015 9:27 AM
0 Kudos

Thanks for everyone's help.

The sub-domain's A record does indeed also list all the KDCs for the domain so I've used that as the KDC line.

I tried spinning up a recent Ubuntu VM and testing against AD, and the kerberos version within there does work correctly with AD and do the SRV record lookup so maybe it's the version of kerberos or java within the latest SLES builds.

A good workaround though.  Thanks again!

Chris

Answers (1)

Answers (1)

candy_zhan
Active Participant
‎05-04-2015 9:17 AM
0 Kudos

Hi Chris,

The kinit test is not good on a unix system as it relies on a krb5.ini file that we do not need to create for the SSO solution,
that file is only used in a manual AD login scenario. Can you check if KBA 1965433 helps your case?

Regards,
Candy

Show replies
Show replies
former_member136842
Employee
Employee
‎05-04-2015 2:20 PM
0 Kudos

Hi,

try to put in "kdc = UK.EXAMPLE.COM"

Often a DNS Server is also a KDC. So by adding this line, it queries all KDCs related to UK.EXAMPLE.COM".

Please try Prior if you can ping "UK.EXAPLE.COM" from the HANA Host - should work.

Regards

-Seb.

Ask a Question