Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

kdc.example.com.                       1800 IN  AAAA           ::ffff:1.2.3.4
kdc.example.com.                       1800 IN  A                   1.2.3.4
_kerberos._tcp.example.com.              IN  SRV  10  0   88 kdc.example.com.
_kerberos._udp.example.com.             IN  SRV  10  0   88 kdc.example.com.

Warning

There MUST be an IPv6 AAAA entry - iPhone requires it to work correctly.

Info

AAAA entry may have to be converted to IPv6 format: :::::ffff:102:304

Use web-tool: https://www.ultratools.com/tools/ipv4toipv6

Troubleshooting DNS records

To test the DNS settings, you can use the DIG command (built-in to Mac and Linux) or NSLOOKUP on Windows.

...

Code Block
languagebash
themeEmacs
dig SRV _kerberos._tcp.example.com
dig SRV _kerberos._udp.example.com

# You may wish to define the name server to use with dig by using the following command: 
dig @ns1.no-ip.com SRV _kerberos._tcp.example.com

Checking DNS entries with tools

Use Google Toolbox to check the SRV entries:

https://toolbox.googleapps.com/apps/dig/#SRV/_kerberos._tcp.example.com

The result must contain string of type:

;ANSWER
_kerberos._tcp.example.com. 3599 IN SRV 10 0 88 krb.example.com.

Use NC to check UDP/Kerberos services:

Code Block
languagebash
themeEmacs
nc -u -z kdc.example.com 88

# Answer:
#> Connection to kdc.example.com port 88 [udp/kerberos] succeeded!

Use nslookup to check the SRV entries:

Code Block
languagebash
themeEmacs
nslookup -q=srv _kerberos._tcp.vmwareidentity.eu
Server:		10.26.28.233
Address:	10.26.28.233#53

Non-authoritative answer:
_kerberos._tcp.vmwareidentity.eu	service = 10 0 88 kdc.vmwareidentity.eu.

Certificates

Expand
titleCA Requirements (including CloudKDC)...

Client certificates

Key Usage

The client certificate must have a Key Usage field of Digital Signature and Key Encipherment. 

Extended Key Usage

The client certificate must have a EKU id-pkekuoid (1.3.6.1.5.2.3.4) set. iOS devices report this EKU as "Kerberos Client Authentication". The certificate may optionally have the OCSPSigning EKU if OCSP revocation checking is enabled. 

Subject Alternative Names

In addition to the Kerberos-defined format for SAN (which includes a sequence of the principal name and realm name), the CloudKDC KDC server allows a SAN in any of the following additional formats. Italics represent value, plain font is verbatim. Spaces added for clarity.


Code Block
languageyml
themeEmacs
subjectAltName = email : user1
subjectAltName = email : user1@domain1.com
subjectAltname = otherName : 1.3.6.1.4.1.311.20.2.3;UTF8 : user2
subjectAltname = otherName : 1.3.6.1.4.1.311.20.2.3;UTF8 : user2@domain2.com

NOTE 1: The OID value "1.3.6.1.4.1.311.20.2.3" is the standard OID for "User Principal Name" (see http://www.oid-info.com/get/1.3.6.1.4.1.311.20.2.3)

NOTE 2: The CloudKDC KDC server will match a SAN value with the client principal even when the SAN value contains no realm name (which it will not, if supplied by Airwatch). This is non-standard Kerberos behavior, but required for CloudKDC.

For reference, the Kerberos-defined format for SAN is given below, although Airwatch is unlikely to support it and ADCS does not. The principal is stored in a SubjectAltName in the certificate using OtherName. The OID in the type is id-pkinit-san.

  id-pkinit-san OBJECT IDENTIFIER ::= { iso (1) org (3) dod (6) internet (1) security (5) kerberosv5 (2) 2 }

The data part of the OtherName is filled with the following DER encoded ASN.1 structure:

Code Block
languagejava
themeEmacs
KRB5PrincipalName ::= SEQUENCE {
realm [0] Realm,
principalName [1] PrincipalName
}

Required Matching

Kerberos principal must “match” certificate Subject Alternative Name (SAN)

Identity Manager user must be able to be located based on derived Kerberos principal:

principal-name#[tenant-list]#[uuid]#[name-format]#[name-value]@realm

  • Kerberos Principal / SRFC4556 SAN (rare)
  • Match with UPN SAN name (ignore @domain part of SAN)
  • Match with EMAIL SAN username (ignore @domain)

AN Matching (part of certificate validation in KDC)

  • Exact match with

Derived Kerberos Principal / User Matching (part of federation broker in IDM)

  • With UPN SAN that has @, then UPN in IDM is used (name-format = “upn”)
  • Else, if EMAIL SAN, then email in IDM is used (name-format = “email”)
  • Else Kerberos principal is matched with username in IDM (name-format = “”)

Server Certificates

Configure the Microsoft CA to use Subject Alternative Name (SAN) in Certificates:

Code Block
languagepowershell
themeEmacs
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

...