Centrify SSO with forwarded Kerberos and AD mixed case usernames
09-30-2016 12:47 PM
Chasing SSO via Centrify putty to systems with enabled DC client. Main problem is Active Directory SAMAccount is mixed case and unixnames are lower case. Forwarded Kerberos tickets are needed as well.
SSO works if mixed case username is placed, alone, in .k5login. However, no TGT is created.
Any tips for getting this to work?
I already stepped through the items given by putty when Kerberos login attempt prompts for password, obvious problem is mixed case username, how can this be fixed?
Using Centrify Suite 2016 and Centrify putty 5.1.8, environment is Win2012 -> RHEL 6 or 7.
09-30-2016 01:42 PM
Assuming you have configurred putty to forward your windows account ticket via GSSAPI, you also need to modify the computer object in AD to trust the computer for delegation to any service (Kerberos Only). If the ticket on your windows desktop is forwardable, then after SSO login to linux you should have a ticket.
Re: Mixed case
Can't say we have encountered this, as everything appears as lowercase on our Linux systems as far as the username is concerened. Can you manually kinit a ticket on this account? I'm surprised you can't kinit using the linux lower case name, the domain is likely all uppercase. adclient should just deal with the unix to windows shenanigans.
There is this option in centrifydc.conf, have you tried it?
# Force principal name in the Kerberos Ticket to lowercase
# This settings is used when machine is joined to classic zone or hierarchical zone.
# When machine is in Auto Zone, please use auto.schema.name.lower instead.
# adclient.krb5.principal.lower: false
09-30-2016 01:52 PM
AD Samaccount (which we use for unixnames) is mixed case, we have Access control set to provide lower case unixnames on systems.
kinit works fine, issue is we need those put in place automatically on SSO login from Windows, have applications that use this for grid jobs.
Should have mentioned, ssh SSO from Linux to Linux works fine, forwarded ticket in place with no command.
Have tried changing adclient.krb5.principal.lowercase as well as autozone.schema.name.lower, these really override group policy which is in place.
09-30-2016 05:31 PM
A quick comment on @jkaufman's suggestion of trusting for delegation.
Make sure you understand the security implications of enabling this feature.
At Centrify we never recommend the use of this feature without fully understanding the consequences and having compensating controls in place.
Some good resources here:
10-04-2016 09:52 AM
Clarification, for the application in use, kinit with password authentication is not an option, a class of users has password denied in AD.
12-27-2016 12:01 PM
In the hope of aiding others, the solution found for this is the following:
- User's home directory must already exist.
- .k5login in home directory must contain lowercase item and actual case item.
- System must have delegation in AD.
With these, an SSO login works with a forwarded ticket in place at login.
Also, for those testing this process, login, verify ticket and kdestroy is not sufficient to truly clear the ticket, Centrify caches this. To fully clear ticket, kdestroy and restart centrifydc.
02-13-2019 04:51 PM
If your AD admins aren't allowing you to enable Kerberos-only delegation on computer object, but you have admin access on the Windows client you're ssh'ing from, check the output of “ksetup /listrealmflags”