0

I am having an issue where I am getting a prompt from SEM web gui to provide my credentials. I provide credentials (we use both tokens and passwords).  It does not fail unless I close the prompt. LDAP works fine.

I have a CA that I signed the ssl Certificate with.  The SEM name is sem.domain (This is an offline domain). The sem console has the correct domain and IP configurations.

I was successful in creating a keytab with the following:

\ktpass.exe -princ HTTP/sem.domain -pass *** -mapuser domain\sem -pType KRB5_NT_PRINCIPAL -crypto ALL -Out c:\Keytab\sem.keytab

I also tried to change it to AES256 since the DISA STIG requires atleast AES128.  But I still get the issue.

I transported the keytab via the domain sysvol share to the SEM server.

The watchlog (Manager menu in CMC console)  shows that there is a Kerberos checksum issue before I even select an account to log in with at the prompt.

Nicholas Buckingham
  • 1

1 Answers1

0

It turns out that it was syntax. The domain needs to be DOMAIN (All Caps). So the command for KTPASS should be as follows:

.\ktpass.exe -princ HTTP/sem.domain@DOMAIN -pass *** -mapuser domain\sem -pType KRB5_NT_PRINCIPAL -crypto ALL -Out c:\Keytab\sem.keytab

NOTE: The key difference is the "HTTP/sem.domain@DOMAIN"

Here is an excerpt from the KTPASS info documentation on the Microsoft Docs website:

"/princ Specifies the principal name in the form host/computer.contoso.com@CONTOSO.COM. Warning: This parameter is case-sensitive."

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass

Nicholas Buckingham
  • 1
  • You mean HTTP/sem.domain@DOMAIN.COM not just HTTP/sem.domain@DOMAIN right??? There must be an extension which fully qualifies the name of the Kerberos realm. – T-Heron Aug 20 '20 at 14:30