proxykerberoskeytabspn

Kerberos create spn and keytabs to include proxy DNS


I want to create SPNs and keytabs to include the proxy DNS so that the proxy can forward the headers to the back-end. I'm unsure what is host, domain and realm. Can someone verify if it looks ok? Or did I add an example.com too much?

The proxy has the server name configured as testing.example.com The realm is example.com

setspn -a HTTP/testing.example.com testinghttp

setspn -a HTTP/testing.example.com.example.com testinghttp

ktpass -princ HTTP/testing.example.com.example.com@example.com -pass Password -mapuser example\testinghttp -crypto ALL -ptype KRB5_NT_PRINCIPAL -out d:\temp\key.keytab -kvno 0


Solution

  • Assuming that the proxy is in the same domain, all you need to know is the face url of proxy. Use this face url as the SPN value. Assuming your proxy face url is http://testing.example.com, the command setspn -a HTTP/testing.example.com testinghttp is correct.

    Moreover, if you are generating keytab, then you need not execute the above command. The SPN specified in ktpass (which is proxy face url) is automatically attached to the given user. Also the user's UPN changes to this SPN value.

    Proxy will (it must) redirect the request 'as is' (with all the headers) to the end node/server. On receiving end (server), you need to accept the ticket present in 'Negotiate' header. You have to use the keytab (and its password) generated above for this.