Skip to Content
0
Aug 29, 2012 at 09:58 PM

BO4 Windows AD Authentication in Parent - Child domains

66 Views

I am setting up Windows AD authentication and SSO where there are multiple domains in a parent – child domain structure:

PARENT_DOMAIN

CHILD_DOMAIN1

CHILD_DOMAIN2

I have made the appropriate settings according to the documentation, and now users in the Parent domain can login through manual AD.

I can successfully run a test with a user in a Child domain using Kinit, but that user cannot login to BO using manual AD.

The BO server is in CHILD_DOMAIN1. The service account running BO is in PARENT_DOMAIN1. There are users in all parent and child domains.

In the CMS I have set:

AD Administration Name: PARENT_DOMAIN.COM\Service_Account

Default AD Group: PARENT_DOMAIN.COM

Service Principle Name: BO_SERVERNAME/Service_Account.PARENT_DOMAIN.COM

I have added AD Group: PARENT_DOMAIN\Group1

(This group does include the user in the child domain.)

For SPNs:

SETSPN -a BO_SERVER/Service_Account.PARENT_DOMAIN.COM Service_Account

SETSPN -a HTTP/BO_SERVER.PARENT_DOMAIN.COM Service_Account

In krb5.ini I have:

[libdefaults]

default_realm = PARENT_DOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit = 1

[realms]

PARENT_DOMAIN.COM = {

kdc = Parent_KDC.PARENT_DOMAIN.COM

default_domain = PARENT_DOMAIN.COM

}

CHILD_DOMAIN1.PARENT_DOMAIN.COM

kdc = KDC1.CHILD_DOMAIN1.PARENT_DOMAIN.COM

default_domain = CHILD_DOMAIN1.PARENT_DOMAIN.COM

}

CHILD_DOMAIN1.PARENT_DOMAIN.COM

kdc = KDC2.CHILD_DOMAIN2.PARENT_DOMAIN.COM

default_domain = CHILD_DOMAIN2.PARENT_DOMAIN.COM

}

The Tomcat error log says (among other things):

jcsi.kerberos: Ticket service name is: HTTP/BO_SERVER.CHILD_DOMAIN1.PARENT_DOMAIN.COM@CHILD_DOMAIN1.PARENT_DOMAIN.COM

jcsi.kerberos: Using keytab entry for: Service_Account@PARENT_DOMAIN.COM

jcsi.kerberos: ** decrypting ticket .. ** with key Principal: Service_Account@PARENT_DOMAIN.COM

jcsi.kerberos: Could not decrypt service ticket with Key type 23, KVNO 2, Principal "HTTP/BO_SERVER.CHILD_DOMAIN1.PARENT_DOMAIN.COM@CHILD_DOMAIN1.PARENT_DOMAIN.COM"

Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure

This seems to me like I have not setup the SPN's correctly?
Is that right? What would the correct SPN's, based upon the location of the BO
server?

Any other indications of what is going wrong?

Thanks

Al.