2

We have a tomcat server using spring-security kerberos to authenticate users to the webpage against active directory.

There are around 25 domain controllers.

The site has two CNAME based DNS aliases.

The site currently has one Service ID with SPNs registered for the DNS A record as well as each of the CNAMEs.

While everything is working right now, I don't know how to reliably change this configuration without possible downtime.

The reason is that clients cache kerberos tickets:

http://www.juniper.net/techpubs/en_US/uac4.2/topics/concept/user-role-active-directory-about.html

The 'kerbtray.exe' program is helpful for viewing and deleting Kerberos tickets on the endpoint. Old tickets must be purged from the endpoint if SPNs are updated or passwords are changed (assuming the endpoint still has a cached copy of the ticket from a prior SPNEGO request to the MAG Series device. During testing, you should purge tickets before each authentication request.

Description of "klist" program used to inspect/delete cached tickets: http://technet.microsoft.com/en-us/library/hh134826.aspx

So if each of the clients (users running windows) who connect to my web server have kerberos tickets that become invalid as soon as I update the SPNs or passwords, how do I ensure changes are seamless? Are there any operations that can be done safely? I can't just ask all of the users to install klist and delete their old tickets.

jmh
  • 146
  • 4

2 Answers2

1

The strategy for this on the unix side of things would be to keep both the old and new copies of the key in the keytab for the service. Kerberos keeps version numbers on the keys and the kerberos libraries will check the keytab for the correct version to use when the service ticket is presented.

You can only have one version of the key in the KDC, but as long as both old and new versions of the key are in the keytab on the server, your clients should see no disruption in service. If you can explain how you install the keytab for the service, I can probably suggest something.

  • To load a new keytab, the new one is copied to the server and tomcat is restarted. This should only be needed for a password change though, right? Not for SPN updates. – jmh Oct 31 '13 at 15:59
  • I've got 20+ years experience with kerberos but only from the unix side and using std protocols like ldap and kerberos to pretend that AD is just another KDC. If changing the SPN does not require downloading a new keytab to the tomcat server, then you should not have any problems. If it does then you need to use a utility to merge both the old and new keytab into a single keytab. – Fred the Magic Wonder Dog Oct 31 '13 at 17:04
0

Perhaps you should test adding an SPN, instead of changing an existing SPN. Security Principals can have multiple SPN's.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81