Configuring Kerberos authentication¶
- this configuration is required when using WAPT Enterprise version;
- indeed without kerberos authentication, you have to either trust initial registration or enter a password for each workstation on initial registration;
- for more information, visit Registering a machine with the WAPT Server and Signing inventory updates;
- the kerberos authentication will be used only when registering the device;
Installing the Kerberos components¶
yum install krb5-workstation msktutil nginx-mod-http-auth-spnego
/etc/krb5.conf file and replace all the content with the following 4 lines replacing MYDOMAIN.LAN with your Active Directory domain name (i.e.
default_realm must be written with ALL CAPS!!
[libdefaults] default_realm = MYDOMAIN.LAN dns_lookup_kdc = true dns_lookup_realm=false
Retrieving a service keytab¶
Use the :command:`kinit and klist. You can use a Local Administrator account or any other account with the delegated right to join a computer to the domain (by default
In the shell transcript below, commands are in black and returned text is commented in light gray:
sudo kinit administrator ## Password for administrator@MYDOMAIN.LAN: ## Warning: Your password will expire in 277 days on lun. 17 sept. 2018 10:51:21 CEST sudo klist ## Ticket cache: FILE:/tmp/krb5cc_0 ## Default principal: administrator@MYDOMAIN.LAN ## ## Valid starting Expires Service principal ## 01/12/2017 16:49:31 02/12/2017 02:49:31 krbtgt/MYDOMAIN.LAN@MYDOMAIN.LAN ## renew until 02/12/2017 16:49:27
If the authentication request is sucessful, you can then create your HTTP Keytab with the msktutil command.
Be sure to modify the
<DOMAIN_CONTROLER> string with the name of your domain controller (eg: srvads.mydomain.lan).
sudo msktutil --server DOMAIN_CONTROLER --precreate --host $(hostname) -b cn=computers --service HTTP --description "host account for wapt server" --enctypes 24 -N sudo msktutil --server DOMAIN_CONTROLER --auto-update --keytab /etc/nginx/http-krb5.keytab --host $(hostname) -N
be sure to have properly configured your WAPT Server
hostname before running these commands;
In order to double check your
hostname, you can run echo $(hostname) and it must return the name that will be used by WAPT agent running on client workstation.
Finally, change the ownership rights on the keytab file.
sudo chown root:nginx /etc/nginx/http-krb5.keytab sudo chmod 640 /etc/nginx/http-krb5.keytab
You can now use post-configuration script to configure the WAPT Server to use Kerberos so your computers will be automatically registered with the WAPT Server.
Post-configuration script will configure Nginx and the WAPT Server to use Kerberos authentication.
This post-configuration script must be run as root.
/opt/wapt/waptserver/scripts/postconf.sh --use-kerberos --force-https
Kerberos authentication is now configured.
The post-configuration script generates a self-signed certificate. If you prefer, you may replace it with a commercial certificate or a certificate issued by a Trusted internal Authority of Certification by following this documentation.
Otherwise, go on directly to the next step to install the WAPT console.