Continuing
from this post …
It
is security best practice to ensure that Kerberos Authentication to your NetApp
CDOT CIFS server works. So, following on from the GSLB DNS Load Balancing and Failover
Configuration design, here’s some
additional information to ensure Kerberos works with the solution.
Our Design Example
DFS Namespace path: \\lab.domain\DFSROOT\folder
DFS path to folder target: \\CDOTSVM01-LB.lab.domain\sharename
CNAME translation: CDOTSVM01-LB.lab.domain
-> CDOTSVM01-LB.gslb.domain
DNS A-records:
CDOTSVM01-LB.gslb.domain
10.10.10.101
CDOTSVM01-LB.gslb.domain
10.10.10.102
CDOTSVM01-LB.gslb.domain
10.10.10.103
CDOTSVM01-LB.gslb.domain
10.10.10.104
CDOT CIFS Server NetBios Name: CDOTSVM01
CDOT CIFS Server FQDN: CDOTSVM01.lab.domain
SPNs
For Kerberos authentication to work,
SPNs (Service Principal Names) must be configured.
When the Active Directory machine
account for our CDOTSVM01 is created, we have the following SPNs:
DOS>
setspn -q HOST/CDOTSVM01
HOST/CDOTSVM01.lab.domain
HOST/CDOTSVM01
At this point, if we connect to our
share over DFS, DNS returns back:
CDOTSVM01-LB.gslb.domain
And of course, Kerberos breaks because
there’s no SPN for that, and we fail back to NTLM authentication which we don’t
want (it’s less secure and generates more load on the domain controllers.) So,
what we do is add a couple of SPNs:
DOS>
setspn -a HOST/CDOTSVM01-LB.gslb.domain CDOTSVM01
DOS>
setspn -a HOST/CDOTSVM01-LB CDOTSVM01
Then when we run the setspn -q (for
query) command, we get:
DOS>
setspn -q HOST/CDOTSVM01
HOST/CDOTSVM01-LB
HOST/CDOTSVM01-LB.gslb.domain
HOST/CDOTSVM01.lab.domain
HOST/CDOTSVM01
With this setup, Kerberos will work
fine!
Do you need the CNAME?
Well, the answer is no, not really, we
could have done the below and skipped out using the CNAME:
DFS Namespace path: \\lab.domain\DFSROOT\folder
DFS path to folder target: \\CDOTSVM01-LB.gslb.domain\sharename
DNS A-records:
CDOTSVM01-LB.gslb.domain
10.10.10.101
CDOTSVM01-LB.gslb.domain
10.10.10.102
CDOTSVM01-LB.gslb.domain
10.10.10.103
CDOTSVM01-LB.gslb.domain
10.10.10.104
CDOT CIFS Server NetBios Name: CDOTSVM01
CDOT CIFS Server FQDN: CDOTSVM01.lab.domain
In my original scenario - from here
- our site failover mechanism was to update the IP addresses in the DNS A
records on the gslb.domain (which exists on a GSLB appliance). An alternative
site failover mechanism is to use DNS and the CNAME, and simply point the CNAME
from the below -
CNAME translation: CDOTSVM01-LB.lab.domain
-> CDOTSVM01-LB.gslb.domain
- to say -
CNAME translation: CDOTSVM01-LB.lab.domain
-> CDOTSVM01-LB-DR.gslb.domain
Testing Kerberos By Disabling NTLM Authentication
In the lab, testing Kerberos is working
is very easy by testing with NTLM disabled in your lab domain. You can disable
NTLM using the following instructions. Then try first without SPNs configured, and
then try with SPNs configured and see that authentication and access doesn’t
work without them:
Start
-> Administrative Tools -> Group Policy Management
Default
Domain Controllers Policy -> Edit
Computer
Configuration -> Policies -> Windows Settings -> Security Settings
-> Local Policies -> Security Options
Network
Security: Restrict NTLM: NTLM authentication in this domain
Define
this policy setting
Deny
all
Image:
How to disable NTLM in Windows 2008 R2 Default Domain Controllers Policy
And an example of the error you might
see when Kerberos is expected but not functioning.
Image:
Microsoft Windows Network: A device
attached to the system is not functioning
Setspn Goodness
Checking for duplicate SPNs:
DOS>
setspn -x
Deleting SPNs:
DOS>
setspn -d HOST/CDOTSVM01-LB.gslb.domain CDOTSVM01
DOS>
setspn -d HOST/CDOTSVM01-LB CDOTSVM01
More SPNs
In this scenario, it might be worth
setting SPNs also for every data LIF, to enable Kerberos if using/testing
without the load balancer.
For
example:
DOS> setspn -a HOST/CDOTSVM01-LIF1.gslb.domain CDOTSVM01
DOS> setspn -a HOST/CDOTSVM01-LIF1 CDOTSVM01
DOS> setspn -a HOST/CDOTSVM01-LIF2.gslb.domain CDOTSVM01
DOS> setspn -a HOST/CDOTSVM01-LIF2 CDOTSVM01
DOS> setspn -a HOST/CDOTSVM01-LIF3.gslb.domain CDOTSVM01
DOS> setspn -a HOST/CDOTSVM01-LIF3 CDOTSVM01
DOS> setspn -a HOST/CDOTSVM01-LIF4.gslb.domain CDOTSVM01
DOS> setspn -a HOST/CDOTSVM01-LIF4 CDOTSVM01
THE
END
Comments
Post a Comment