Reply

GSS-TSIG, Importing Keytab: "keys could not be assigned because they have different principal"

New Member
Posts: 6
1876     0

Greetings,

 

Does someone know what this error message means: "keys could not be assigned because they have different principal" .

 

Background we have sucessfully migrated Active-Directory DNS to Infoblox. MS-Admin wants to set up a new separate forest for testing. I have asked him to install the first DC, create user and export a keytab. Upon importing this keytab, the keys are uploaded okay, but I get the above error-message.

 

In "Manage GSS-TSIG" keys for productive AD-Zone (Principal "DNS/FQHN@ProdREALM" are assigned to member "Grid(DNS)", keys for testing AD (Principal "DNS/FQHN@TestREALM" are assigned to nothing and marked "not in use".

 

Am I doing something wrong here? Can I not assigne keytabs for more then one AD-zone on grid-level?

 

Thanks for any input.

Re: GSS-TSIG, Importing Keytab: "keys could not be assigned because they have different princip

New Member
Posts: 1
1876     0

This is a help document my team uses to create the keytab files.  Most important thing to remember is the CLI is case sensitive.  In my business the DNS Team and AD Team are two differnet groups.  We do not allow DES-CBC-CRC or DES-CBC-MD5 for security reasons.   I hope this helps.

 

KeyTab Generation Process

  • The process below describes how to create a KeyTab file that will be used by the DNS team to allow for dynamic registration using GSS-TSIG.
  • Obtain a DA account.
  • Ensure the DNS Team has created a service account for EACH of the DNS servers that will be Added/used by the domain. Example Example domain has twelve DNS servers and thus needs twelve service accounts.
  • Log into Front End server using a shared FE account.
  • Open a Dos prompt with RUNAS credentials of the DA account.
  • Update the Service accounts to use AES 128 and AES 256 encryption
    • Run the following commands for each Service account.
      • Set-ADUser <account name> -Replace @{“msDS-SupportedEncryptionTypes”=($encTypes -bor $AES256)}
      • Set-ADUser <account name> -Replace @{“msDS-SupportedEncryptionTypes”=($encTypes -bor $AES128)}
    • Open ADUC and verify that the settings have been changed.
    • This is required to allow all three Encryption keys to be used for TSIG account verification
  • Create a folder under c:\build called DNS or other location to store the keytabs temporarily.
  • Create the KeyTab creation command(s) using the below as a reference:
    • ktpass -princ DNS/<dns sever name>.dns.example.com@<ad domain>.example.COM -mapuser <account name>@<AD DOMAIN>EXAMPLE.COM -pass (passwordhere 15 char) -out c:\build\dns\<dns server name>.keytab -ptype krb5_nt_principal -crypto ALL
  • KEY ITEMS IN THIS COMMAND.
    • anything after the @ for UPN MUST BE CAPITAL.
    • DNS MUST BE CAPITAL
    • crypto ALL MUST BE CAPITAL DO NOT specify a specific Crypto type the DNS team will remove the two DES-CBC-CRC and DES-CBC-MD5 during keytab import. Infoblox will not work with multiple keytab versions for the same account.
    • Password will be a 15 char password following standards and will NOT BE SAVED or used by anyone.
    • OUT is to the path created above.
  • Zip and send the files to DNS team setting up the zone. You will delete this file once zone is tested and working.
  • To facilitate easy creation for many Servers or Domains create an xls file as follows
    • Column A – Account
    • Column B – DNS Server .FQDN
    • Column C – Domain FQDN IN ALL CAPPS
    • Column D – Password 15 Character
    • Column E – =CONCATENATE(“ktpass -princ DNS/”,C2,”@”,D2,” -mapuser “,B2,”@”,D2,” -pass “,E2,” -out c:\tools\dns\”,C2,”.keytab -ptype krb5_nt_principal -crypto ALL”)

DNS Team Configuration

  • GSS-TSIG are added to each box that is going to allow DDNS updates to happen.
  • KeyTabs are adding to each server.
  • The DES-CBC-CRC and  DES-CBC-MD5 are deleted. <optional>
  • KeyTabs are assigned.
  • Zone is set to allow GSS-TSIG signed updates under Updates.
  • Zone is set to allow GSS-TSIG signed updates to underscore zones under Active Directory.
  • DNS server is rebooted one at a time in the pair. (You must reboot for the keytab to work)
  • Testing is done by the AD team and DNS teams to ensure zone is working as expected. Registration of a Front End server and a DC is recommended.

Re: GSS-TSIG, Importing Keytab: "keys could not be assigned because they have different princip

New Member
Posts: 6
1877     0

Sorry, I did not see this in time. Thanks for weighing in.

 

We were able to resolve the problem by starting from scratch and asking the AD-admin (not me) to carefully follow the infoblox instructions. After this the new keytab was imported just fine. The reason for the problem remains unclear, the solution was "do exactly as instructed".

 

You are probably right, that the DES-keys should not be generated/used though.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You