Centrify SSO with forwarded Kerberos and AD mixed case usernames

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 4
Registered: ‎09-30-2016
#1 of 7 2,702

Centrify SSO with forwarded Kerberos and AD mixed case usernames

Hello,

 

Chasing SSO via Centrify putty to systems with enabled DC client. Main problem is Active Directory SAMAccount is mixed case and unixnames are lower case. Forwarded Kerberos tickets are needed as well.

 

SSO works if mixed case username is placed, alone, in .k5login. However, no TGT is created.

 

Any tips for getting this to work?

 

I already stepped through the items given by putty when Kerberos login attempt prompts for password, obvious problem is mixed case username, how can this be fixed?

 

Using Centrify Suite 2016 and Centrify putty 5.1.8, environment is Win2012 -> RHEL 6 or 7.

 

Thanks,

 

Bill

Participant I
Posts: 1
Registered: ‎10-19-2015
#2 of 7 2,697

Re: Centrify SSO with forwarded Kerberos and AD mixed case usernames

Re: Forwarding

  Assuming you have configurred putty to forward your windows account ticket via GSSAPI, you also need to modify the computer object in AD to trust the computer for delegation to any service (Kerberos Only). If the ticket on your windows desktop is forwardable, then after SSO login to linux you should have a ticket.  

 

Re: Mixed case

  Can't say we have encountered this, as everything appears as lowercase on our Linux systems as far as the username is concerened. Can you manually kinit a ticket on this account? I'm surprised you can't kinit using the linux lower case name, the domain is likely all uppercase.  adclient should just deal with the unix to windows shenanigans. 

 

There is this option in centrifydc.conf, have you tried it?

 

# Force principal name in the Kerberos Ticket to lowercase
# This settings is used when machine is joined to classic zone or hierarchical zone.
# When machine is in Auto Zone, please use auto.schema.name.lower instead.
#
# adclient.krb5.principal.lower: false
#

Participant II
Posts: 4
Registered: ‎09-30-2016
#3 of 7 2,695

Re: Centrify SSO with forwarded Kerberos and AD mixed case usernames

AD Samaccount (which we use for unixnames) is mixed case, we have Access control set to provide lower case unixnames on systems.

 

kinit works fine, issue is we need those put in place automatically on SSO login from Windows, have applications that use this for grid jobs.

 

Should have mentioned, ssh SSO from Linux to Linux works fine, forwarded ticket in place with no command.

 

Have tried changing adclient.krb5.principal.lowercase as well as autozone.schema.name.lower, these really override group policy which is in place.

Centrify Guru I
Posts: 2,449
Registered: ‎07-26-2012
#4 of 7 2,688

Re: Centrify SSO with forwarded Kerberos and AD mixed case usernames

A quick comment on @jkaufman's suggestion of trusting for delegation.

Make sure you understand the security implications of enabling this feature.

At Centrify we never recommend the use of this feature without fully understanding the consequences and having compensating controls in place.

 

Some good resources here:

https://adsecurity.org/?p=1667

http://windowsitpro.com/windows/most-confusing-dialog-box-active-directory

http://windowsitpro.com/security/kerberos-delegation-and-troubleshooting

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 4
Registered: ‎09-30-2016
#5 of 7 2,642

Re: Centrify SSO with forwarded Kerberos and AD mixed case usernames

Clarification, for the application in use, kinit with password authentication is not an option, a class of users has password denied in AD.

Participant II
Posts: 4
Registered: ‎09-30-2016
#6 of 7 2,350

Re: Centrify SSO with forwarded Kerberos and AD mixed case usernames

In the hope of aiding others, the solution found for this is the following:

 

- User's home directory must already exist.

- .k5login in home directory must contain lowercase item and actual case item.

- System must have delegation in AD.

 

With these, an SSO login works with a forwarded ticket in place at login.

 

Also, for those testing this process, login, verify ticket and kdestroy is not sufficient to truly clear the ticket, Centrify caches this. To fully clear ticket, kdestroy and restart centrifydc.

Highlighted
jd
Participant I
Posts: 1
Registered: ‎10-24-2018
#7 of 7 554

Re: Centrify SSO with forwarded Kerberos and AD mixed case usernames

If your AD admins aren't allowing you to enable Kerberos-only delegation on computer object, but you have admin access on the Windows client you're ssh'ing from, check the output of “ksetup /listrealmflags”

 
If “delegate” (0x04) is not set, set it on the local machine:
 
ksetup /setrealmflags TARGETREALM.COM delegate
 
This should allow you to forward your credentials for one "hop". Subsequent ssh's from the initial target system will not get forwarded credentials.