Creating a Keytab and account for mod_auth_vas without using a priviledged AD account on Linux/Unix
METHOD 1
1. Ask the AD Administrator to create a user account similar to the one below. Replacing yourdomain, and yourhostname. They will need to use Microsofts setspn tool to add the extra Service Prinicipal Names (SPNs). You will need to be given the password for this account.
userAccountControl: 66048 (DONT_EXPIRE_PASSWD)
sAMAccountName: yourhostname-HTTP
userPrincipalName: HTTP/yourhostname.yourdomain.com@YOURDOMAIN.COM
servicePrincipalName: HTTP/yourhostname
servicePrincipalName: HTTP/yourhostname.yourdomain.com
2. Run the setup-mod_auth_vas script to .
# /opt/quest/sbin/setup-mod_auth_vas
Answer n to "Create the HTTP/ service account?", and y to "Use existing service account?". Follow the prompts.
METHOD 2 - Manual method
1. Ask the AD Administrator to create a user account similar to the one below. Replacing yourdomain, and yourhostname. They will need to use Microsofts setspn tool to add the extra Service Prinicipal Names (SPNs). You will need to be given the password for this account.
userAccountControl: 66048 (DONT_EXPIRE_PASSWD)
sAMAccountName: yourhostname-HTTP
userPrincipalName: HTTP/yourhostname.yourdomain.com@YOURDOMAIN.COM
servicePrincipalName: HTTP/yourhostname
servicePrincipalName: HTTP/yourhostname.yourdomain.com
2. Create the Keytab on the QAS machine and roll the password to something random.
# /opt/quest/bin/vastool -u yourhostname-http passwd -r -k /etc/opt/quest/vas/HTTP.keytab
Enter the password given to you by the AD team
3. Add the SPN aliases into to the keytab
# /opt/quest/bin/vastool -u yourhostname-http ktutil -k /etc/opt/quest/vas/HTTP.keytab alias yourhostname-http HTTP/yourhostname.yourdomain.com
# /opt/quest/bin/vastool -u yourhostname-http ktutil -k /etc/opt/quest/vas/HTTP.keytab alias yourhostname-http HTTP/yourhostname
4. Run the setup-mod_auth_vas script to check the setup and permissions.
# /opt/quest/sbin/setup-mod_auth_vas
METHOD 3 - Manual method without changing the service accounts password
1. Ask the AD administrator to create a user account similar to the one below. Replacing yourdomain, and yourhostname. They will need to use Microsofts setspn tool to add the extra Service Prinicipal Names (SPNs). You will need to be given the password for this account.
userAccountControl: 66048 (DONT_EXPIRE_PASSWD)
sAMAccountName: yourhostname-HTTP
userPrincipalName: HTTP/yourhostname.yourdomain.com@YOURDOMAIN.COM
servicePrincipalName: HTTP/yourhostname
servicePrincipalName: HTTP/yourhostname.yourdomain.com
2. Find out the KVNO of the account
# /opt/quest/bin/vastool -u host/ attrs yourhostname-HTTP msDS-KeyVersionNumber
3. Manually create the Keytab
# /opt/quest/bin/ktutil -k /etc/opt/quest/vas/HTTP.keytab add -p yourhostname-HTTP@YOURDOMAIN.COM -e arcfour-hmac-md5 -V KVNONumberfromabove -w password_for_account
# /opt/quest/bin/ktutil -k /etc/opt/quest/vas/HTTP.keytab add -p yourhostname-HTTP@YOURDOMAIN.COM -e aes256-cts-hmac-sha1-96 -V KVNONumberfromabove -w passwordforaccount
# /opt/quest/bin/ktutil -k /etc/opt/quest/vas/HTTP.keytab add -p yourhostname-HTTP@YOURDOMAIN.COM -e aes128-cts-hmac-sha1-96 -V KVNONumberfromabove -w passwordforaccount
4. Validate it auths OK
# /opt/quest/bin/vastool -u yourhostname-HTTP -k /etc/opt/quest/vas/HTTP.keytab auth
5. Add the SPN aliases into the keytab
# /opt/quest/bin/vastool -u yourhostname-http ktutil -k /etc/opt/quest/vas/HTTP.keytab alias yourhostname-http HTTP/yourhostname.yourdomain.com
# /opt/quest/bin/vastool -u yourhostname-http ktutil -k /etc/opt/quest/vas/HTTP.keytab alias yourhostname-http HTTP/yourhostname
6. Run the setup-mod_auth_vas script to check the setup and permissions.
# /opt/quest/sbin/setup-mod_auth_vas
---
MAV and all One Identity open source projects are supported through One Identity GitHub issues and the One Identity Community. For assistance with any One Identity GitHub project, please raise a new Issue on the One Identity GitHub project page. You may also visit the One Identity Community to ask questions. Requests for assistance made through official One Identity Support will be referred back to GitHub and the One Identity Community forums where those requests can benefit all users.
Main MAV GitHub page:
https://github.com/OneIdentity/mod_auth_vas
Latest MAV Packages:
https://github.com/OneIdentity/mod_auth_vas/releases
Open a MAV Issue:
https://github.com/OneIdentity/mod_auth_vas/issues
MAV Wiki:
https://github.com/OneIdentity/mod_auth_vas/wiki
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center