Kerberos Hostname mapping

  • Thread starter Thread starter spconsultant
  • Start date Start date
S

spconsultant

Guest
BackGround

I have a web server called portal.myc.local
I must implement Kerberos Constrained Delegation,
to impersonate the end user in a downsteram application (on another
server).

I am using kerberos, to authenticate users (for SharePoint).
I have my SPN as HTTP/portal.myc.local MYC\apppoolaccount
This is working well.

For external access, public DNS has mycompany.com registered to me,
and I have
my public DNS pointing to portal.mycomany.com and for testing right
now to my webserver
I have created a wildcard SSL certificate for *.mycompany.com (Using
SELFSSL)

(When I move along, this will be secured via ISA server in my DMZ, the
certifacate will
be self signed)

Status

Through Kerberos, my internal connections work properly.
Externally, kerberos fails, and authenticates me via NTLM
Even if I do this from the lan by using a host file entry to point to
my internal web server
it still falls back to NTLM

Question:

I believe what i need to do is map mycompany.com to myc.local so that
active directory
domain controller on myc.local sees these as members of the same
realm. How do I accomplish this?
Is this correct? Can I authenticate like this?
Any documentation source reccomendations?
 
Re: Kerberos Hostname mapping

Clarification:


portal.mycompany.com is a public DNS "A" record

I think I need somthing like:

Configure /etc/krb5.conf

[libdefaults]
default_realm = myc.local

[domain_realm]
portal.mycompany.com = myc.local

[realms]
myc.local = {
kdc = kdc.myc.local
}

Thanks for your thoughts!


On Oct 30, 3:55 pm, spconsultant <gfpilot2...@yahoo.com> wrote:
> BackGround
>
> I have a web server called portal.myc.local
> I must implement Kerberos Constrained Delegation,
> to impersonate the end user in a downsteram application (on another
> server).
>
> I am using kerberos, to authenticate users (for SharePoint).
> I have my SPN as   HTTP/portal.myc.local MYC\apppoolaccount
> This is working well.
>
> For external access, public DNS has mycompany.com registered to me,
> and I have
> my public DNS pointing to portal.mycomany.com and for testing right
> now to my webserver
> I have created a wildcard SSL certificate for *.mycompany.com (Using
> SELFSSL)
>
> (When I move along, this will be secured via ISA server in my DMZ, the
> certifacate will
> be self signed)
>
> Status
>
> Through Kerberos, my internal connections work properly.
> Externally, kerberos fails, and authenticates me via NTLM
> Even if I do this from the lan by using a host file entry to point to
> my internal web server
> it still falls back to NTLM
>
> Question:
>
> I believe what i need to do is map mycompany.com to myc.local so that
> active directory
> domain controller on myc.local sees these as members of the same
> realm. How do I accomplish this?
> Is this correct? Can I authenticate like this?
> Any documentation source reccomendations?
 

Similar threads

I
Reading a FREB log, a Failed Request Tracing: IIS request processing pipeline execution
Replies
0
Views
620
IIS
I
I
ARR: change the hostname on re-routing to backend node the requests
Replies
0
Views
350
IIS
I
I
ARR to change the hostname on re-routing the requests to a backend node
Replies
0
Views
335
IIS
I
S
Constrained Delegation (using Kerberos) for a Service to be trusted for Delegation
Replies
0
Views
53
Sahana Udaya
S
EDN Admin
Client Server Authentication using Kerberos
Replies
0
Views
167
EDN Admin
EDN Admin
Back
Top