Skip to Content
0
Apr 29, 2015 at 11:26 AM

Kerberos and DNS for SAP HANA SSO

73 Views

Hi,

I'm following the document in Note 1837331 about setting up Kerberos for SSO with Active Directory.

When setting up the krb5.conf file, I'm having trouble getting it to find the KDC without explicitly specifying them in the file.

The document states that if the records are in DNS (and they are) then you don't need a [realms] section where you manually specify the kdc location but I can't get this to work. If I do specify a [realms] and put a kdc line in there, it works perfectly but I'd like to utilise DNS as the system I'm configuring has 12 domain controllers and I don't want to manually specify each one and manually change each system each time a new DC is added or removed!

I've ran a tcpdump session looking for DNS queries, and when running kinit I don't see any attempts at DNS lookups. It just fails with the below.

Password for USER@UK.EXAMPLE.COM:

com.ibm.security.krb5.KrbException, status code: 60

message: Cannot find KDC for realm UK.EXAMPLE.COM

at com.ibm.security.krb5.p.send(p.java:45)

at com.ibm.security.krb5.KrbAsReq.send(KrbAsReq.java:176)

at com.ibm.security.krb5.p.send(p.java:59)

at com.ibm.security.krb5.KrbAsReq.send(KrbAsReq.java:130)

at com.ibm.security.krb5.internal.tools.Kinit.a(Kinit.java:128)

at com.ibm.security.krb5.internal.tools.Kinit.<init>(Kinit.java:66)

at com.ibm.security.krb5.internal.tools.Kinit.main(Kinit.java:12)

com.ibm.security.krb5.KrbException, status code: 60

message: Cannot find KDC for realm UK.EXAMPLE.COM

Has anyone made this work?

Kind Regards

Chris