Wednesday, 16 April 2014

Simulating a GSLB DNS Load Balancing and Failover Configuration for File Access: Part 2 - Kerberos

Continuing from this post …

It is security best practice to ensure that Kerberos Authentication to your NetApp CDOT CIFS server works. So, following on from the GSLB DNS Load Balancing and Failover Configuration design, here’s some additional information to ensure Kerberos works with the solution.

Our Design Example

DFS Namespace path: \\lab.domain\DFSROOT\folder
DFS path to folder target: \\CDOTSVM01-LB.lab.domain\sharename

CNAME translation: CDOTSVM01-LB.lab.domain -> CDOTSVM01-LB.gslb.domain

DNS A-records:
CDOTSVM01-LB.gslb.domain 10.10.10.101
CDOTSVM01-LB.gslb.domain 10.10.10.102
CDOTSVM01-LB.gslb.domain 10.10.10.103
CDOTSVM01-LB.gslb.domain 10.10.10.104

CDOT CIFS Server NetBios Name: CDOTSVM01
CDOT CIFS Server FQDN: CDOTSVM01.lab.domain

SPNs

For Kerberos authentication to work, SPNs (Service Principal Names) must be configured.
When the Active Directory machine account for our CDOTSVM01 is created, we have the following SPNs:

DOS> setspn -q HOST/CDOTSVM01

HOST/CDOTSVM01.lab.domain
HOST/CDOTSVM01

At this point, if we connect to our share over DFS, DNS returns back:

CDOTSVM01-LB.gslb.domain

And of course, Kerberos breaks because there’s no SPN for that, and we fail back to NTLM authentication which we don’t want (it’s less secure and generates more load on the domain controllers.) So, what we do is add a couple of SPNs:

DOS> setspn -a HOST/CDOTSVM01-LB.gslb.domain CDOTSVM01
DOS> setspn -a HOST/CDOTSVM01-LB CDOTSVM01

Then when we run the setspn -q (for query) command, we get:

DOS> setspn -q HOST/CDOTSVM01

HOST/CDOTSVM01-LB
HOST/CDOTSVM01-LB.gslb.domain
HOST/CDOTSVM01.lab.domain
HOST/CDOTSVM01

With this setup, Kerberos will work fine!

Do you need the CNAME?

Well, the answer is no, not really, we could have done the below and skipped out using the CNAME:

DFS Namespace path: \\lab.domain\DFSROOT\folder
DFS path to folder target: \\CDOTSVM01-LB.gslb.domain\sharename

DNS A-records:
CDOTSVM01-LB.gslb.domain 10.10.10.101
CDOTSVM01-LB.gslb.domain 10.10.10.102
CDOTSVM01-LB.gslb.domain 10.10.10.103
CDOTSVM01-LB.gslb.domain 10.10.10.104

CDOT CIFS Server NetBios Name: CDOTSVM01
CDOT CIFS Server FQDN: CDOTSVM01.lab.domain

In my original scenario - from here - our site failover mechanism was to update the IP addresses in the DNS A records on the gslb.domain (which exists on a GSLB appliance). An alternative site failover mechanism is to use DNS and the CNAME, and simply point the CNAME from the below -

CNAME translation: CDOTSVM01-LB.lab.domain -> CDOTSVM01-LB.gslb.domain

- to say -

CNAME translation: CDOTSVM01-LB.lab.domain -> CDOTSVM01-LB-DR.gslb.domain

Testing Kerberos By Disabling NTLM Authentication

In the lab, testing Kerberos is working is very easy by testing with NTLM disabled in your lab domain. You can disable NTLM using the following instructions. Then try first without SPNs configured, and then try with SPNs configured and see that authentication and access doesn’t work without them:

Start -> Administrative Tools -> Group Policy Management
Default Domain Controllers Policy -> Edit
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
Network Security: Restrict NTLM: NTLM authentication in this domain
Define this policy setting
Deny all

Image: How to disable NTLM in Windows 2008 R2 Default Domain Controllers Policy

And an example of the error you might see when Kerberos is expected but not functioning.

Image:  Microsoft Windows Network: A device attached to the system is not functioning

Setspn Goodness

Checking for duplicate SPNs:

DOS> setspn -x

Deleting SPNs:

DOS> setspn -d HOST/CDOTSVM01-LB.gslb.domain CDOTSVM01
DOS> setspn -d HOST/CDOTSVM01-LB CDOTSVM01

More SPNs

In this scenario, it might be worth setting SPNs also for every data LIF, to enable Kerberos if using/testing without the load balancer.

For example:

DOS> setspn -a HOST/CDOTSVM01-LIF1.gslb.domain CDOTSVM01
DOS> setspn -a HOST/CDOTSVM01-LIF1 CDOTSVM01
DOS> setspn -a HOST/CDOTSVM01-LIF2.gslb.domain CDOTSVM01
DOS> setspn -a HOST/CDOTSVM01-LIF2 CDOTSVM01
DOS> setspn -a HOST/CDOTSVM01-LIF3.gslb.domain CDOTSVM01
DOS> setspn -a HOST/CDOTSVM01-LIF3 CDOTSVM01
DOS> setspn -a HOST/CDOTSVM01-LIF4.gslb.domain CDOTSVM01
DOS> setspn -a HOST/CDOTSVM01-LIF4 CDOTSVM01

THE END

No comments:

Post a Comment