I managed to setup Kerberos authentication for 1 server and is up and running ok. Now I have a project where I have to add another server to Kerberos configuration as follow:
1) AD server
2) server1 where service is running
3) server2 where same service will be running
so I executed setspn command to assing both to single "spn" user:
setspn -s serviceX/[email protected] spn
setspn -s serviceX/[email protected] spn
Then I executed comman ktpass:
ktpass -princ serviceX/[email protected] -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -mapuser serviceX\spn -out C:\keytab +rndPass
What should I do next to make it work? How to execute ktpass for server2? When I tried same command for server2 I'm getting Warning:
Warning: Failed to set UPN serviceX/server2.domain.com ptype 1 vno 10 etype 0x12 kinits to "serviceX/server2.domain.com" will fail.
How do you guys setup kerberos authentication for same service but on different servers? Do you create 2 spn users and 2 keytabs? I think I need to have everything in 1 keytab as the service requires it. Any help?
You can run serviceX on the two different servers using the same keytab by using an SPN tied to a user account in the Directory rather than to each of the servers. To do this, you tie the SPN to a virtual server name (aka a "VIP") instead of a real one. We do this all the time at my current organization. So since the SPN would use a virtual server name in DNS, you just configure the load-balancer to send any queries for that virtual name to the real servers behind it "answering" to that name. So in this case, instead of worrying about having unique keytabs for both server1 and server2, your just create one keytab for what I'll refer to as server-vip, and then copy that same keytab to both servers. If you don't have a load balancer then you can do this just using DNS round robin. So the below example would be your new keytab creation syntax, notice how only one thing changes. Another reason why this is good is because it is resilient to to server changes. When you eventually decommission server1 and server2, you can easily just copy the keytab to server3 and server4 when that day comes.