Creating a Keytab and account for mod_auth_vas without using a priviledged AD account on Linux/Unix (4259756)

Return

Feedback Submitted

Did this article solve an issue for you?

Select Rating

Title

Creating a Keytab and account for mod_auth_vas without using a priviledged AD account on Linux/Unix
Description

Creating a Keytab and account for mod_auth_vas without using a priviledged AD account on Linux/Unix
Resolution

METHOD 1

1. Ask the AD Administrator to create a user account similar to the one below. Replacing yourdomain, and yourhostname. They will need to use Microsofts setspn tool to add the extra Service Prinicipal Names (SPNs). You will need to be given the password for this account.

userAccountControl: 66048 (DONT_EXPIRE_PASSWD)
sAMAccountName: yourhostname-HTTP
userPrincipalName: HTTP/yourhostname.yourdomain.com@YOURDOMAIN.COM
servicePrincipalName: HTTP/yourhostname
servicePrincipalName: HTTP/yourhostname.yourdomain.com

2. Run the setup-mod_auth_vas script to .
# /opt/quest/sbin/setup-mod_auth_vas

Answer n to "Create the HTTP/ service account?", and y to "Use existing service account?". Follow the prompts.

METHOD 2 - Manual method

1. Ask the AD Administrator to create a user account similar to the one below. Replacing yourdomain, and yourhostname. They will need to use Microsofts setspn tool to add the extra Service Prinicipal Names (SPNs). You will need to be given the password for this account.

userAccountControl: 66048 (DONT_EXPIRE_PASSWD)
sAMAccountName: yourhostname-HTTP
userPrincipalName: HTTP/yourhostname.yourdomain.com@YOURDOMAIN.COM
servicePrincipalName: HTTP/yourhostname
servicePrincipalName: HTTP/yourhostname.yourdomain.com

2. Create the Keytab on the QAS machine and roll the password to something random.

# /opt/quest/bin/vastool -u yourhostname-http passwd -r -k /etc/opt/quest/vas/HTTP.keytab
Enter the password given to you by the AD team

3. Add the SPN aliases into to the keytab

# /opt/quest/bin/vastool -u yourhostname-http ktutil -k /etc/opt/quest/vas/HTTP.keytab alias yourhostname-http HTTP/yourhostname.yourdomain.com
# /opt/quest/bin/vastool -u yourhostname-http ktutil -k /etc/opt/quest/vas/HTTP.keytab alias yourhostname-http HTTP/yourhostname

4. Run the setup-mod_auth_vas script to check the setup and permissions.
# /opt/quest/sbin/setup-mod_auth_vas
METHOD 3 - Manual method without changing the service accounts password
1. Ask the AD administrator to create a user account similar to the one below. Replacing yourdomain, and yourhostname. They will need to use Microsofts setspn tool to add the extra Service Prinicipal Names (SPNs). You will need to be given the password for this account.

userAccountControl: 66048 (DONT_EXPIRE_PASSWD)
sAMAccountName: yourhostname-HTTP
userPrincipalName: HTTP/yourhostname.yourdomain.com@YOURDOMAIN.COM
servicePrincipalName: HTTP/yourhostname
servicePrincipalName: HTTP/yourhostname.yourdomain.com

2. Find out the KVNO of the account
# /opt/quest/bin/vastool -u host/ attrs yourhostname-HTTP msDS-KeyVersionNumber

3. Manually create the Keytab

# /opt/quest/bin/ktutil -k /etc/opt/quest/vas/HTTP.keytab add -p yourhostname-HTTP@YOURDOMAIN.COM -e arcfour-hmac-md5 -V KVNONumberfromabove -w password_for_account
# /opt/quest/bin/ktutil -k /etc/opt/quest/vas/HTTP.keytab add -p yourhostname-HTTP@YOURDOMAIN.COM -e aes256-cts-hmac-sha1-96 -V KVNONumberfromabove -w passwordforaccount
# /opt/quest/bin/ktutil -k /etc/opt/quest/vas/HTTP.keytab add -p yourhostname-HTTP@YOURDOMAIN.COM -e aes128-cts-hmac-sha1-96 -V KVNONumberfromabove -w passwordforaccount

4. Validate it auths OK
# /opt/quest/bin/vastool -u yourhostname-HTTP -k /etc/opt/quest/vas/HTTP.keytab auth

5. Add the SPN aliases into the keytab

# /opt/quest/bin/vastool -u yourhostname-http ktutil -k /etc/opt/quest/vas/HTTP.keytab alias yourhostname-http HTTP/yourhostname.yourdomain.com
# /opt/quest/bin/vastool -u yourhostname-http ktutil -k /etc/opt/quest/vas/HTTP.keytab alias yourhostname-http HTTP/yourhostname

6. Run the setup-mod_auth_vas script to check the setup and permissions.
# /opt/quest/sbin/setup-mod_auth_vas
---
MAV and all One Identity open source projects are supported through One Identity GitHub issues and the One Identity Community. For assistance with any One Identity GitHub project, please raise a new Issue on the One Identity GitHub project page. You may also visit the One Identity Community to ask questions. Requests for assistance made through official One Identity Support will be referred back to GitHub and the One Identity Community forums where those requests can benefit all users.

Main MAV GitHub page:
https://github.com/OneIdentity/mod_auth_vas

Latest MAV Packages:
https://github.com/OneIdentity/mod_auth_vas/releases

Open a MAV Issue:
https://github.com/OneIdentity/mod_auth_vas/issues

MAV Wiki:
https://github.com/OneIdentity/mod_auth_vas/wiki

Feedback Submitted

Did this article solve an issue for you?

Select Rating

Request a KB Article

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Creating a Keytab and account for mod_auth_vas without using a priviledged AD account on Linux/Unix (4259756)

Title

Description

Resolution

Leave a Comment