Setting up Kerberos can be tough -- from an organizational standpoint as well as a technical standpoint. The Three-Headed Dog (THD) is here to simplify the process by taking the guesswork out of the syntax. THD will use smart defaults and validate the inputs to make sure you're on the right track.
Prerequisites: Requires .NET Framework 4.5
NOTE: This tool is NOT supported by Support in any way. Do not contact them for help with problems.
NOTE: This tool makes a call to "mcafee.tangomark.com", this domain is owned by the Technical Marketing Team and is used for version checks.
For version 1.0, there are two use cases 1) Creation and 2) Maintenance.
For those setting up Kerberos for the first time, we help you get the syntax right on the first try. Once you have the Syntax, you can pass the commands to your Active Directory Administrator for them to modify as needed.
For those who've already got Kerberos setup and working, you may need to maintain your AD user account by adding or removing SPNs. Additionally, quickly reviewing the user account information is important (like getting the Key Version info).
Search for Existing Accounts
The search option allows you to look up accounts in Active Directory and review their Kerberos attributes.
Adding an SPN
To add an SPN, type the FQDN into the text box next to the "Add SPN" button. Click the"Add SPN" button and syntax will be generated to add the SPN to the given user account.
Delete an SPN
To delete an SPN, select an SPN from the list generated above, and click the button for "Remove SPN". This will generate syntax for removing the given SPN from the given user account.
If Java is installed on the workstation, THD will use the built-in Keytab viewer tool (klist.exe) to display information about a given keytab. If Java is not installed, this option will not be available.
Ktutil is a Linux package (installed on Secure Web Gateway by running -- yum install krb5-workstation) that allows you to create and modify keytab files. The Ktutil Commands tab will output the necessary commands to regenerate a given keytab from scratch. It reads the processed keytab and also allows you to add any SPNs to the keytab, should you need to (like for RCMD additions).
(Optional) Groups Export is a feature intended for deployments where the Secure Web Gateway does not have a connection to directory resources. With Kerberos, the ticket presented by the workstation includes the Group IDs (not Group Names), so a directory connection is required to map or lookup the actual Group Names. With the Groups Export feature in THD, it can export a "Map" list of Group IDs to Group Names. This Map list can be used in the Secure Web Gateway to substitute for a directory connection.
Searching for Groups
When searching for groups, you should search for groups that are used for Internet Filtering as some domains may include tens of thousands of groups. The search option in the Groups Export allows for pipe delimited searches (e.g., Internet|WebFilter|Executives).
Exporting or Uploading to Secure Web Gateway
To Export the Groups, there is two options:
- Export to .lists File.
- Upload directly to Secure Web Gateway via the REST API.
Importing the to .lists File
To Import the .lists file into Secure Web Gateway, go to Policy > Lists, then click the Import...button.
Uploading via REST API
To Upload using the REST API, you must make sure that the REST interface is enabled on the Secure Web Gateway and you must fill in your credentials in THD under Settings > Web Gateway REST API.
Using the Groups Export in the Rules
Once you have imported the Groups Export into the Secure Web Gateway, we need rules that will actually use it. Attached are rules [Translate Group IDs to Name] that will accomplish this need. The rules will first filter out any Group IDs not in the Mapping list, then build a dictionary and regex based on the Group IDs and Group Names in the mapping list, and finally, the Group IDs will be converted to Group Names. In the examples below, I (jon.scholten) am apart of the "Internet Relaxed" group. As such all Group IDs are filtered away and only the Group Name "Internet Relaxed" remains.
The settings in THD allow you to target a new domain and use different domain credentials. This is useful if you aren't logged into the domain you're generating the keytab for.
The directory settings will default to using the logged in workstation's domain and user.
Custom settings can be used if you are attempting to setup Kerberos for a domain different from what your workstation is attached to. When a custom domain is specified, the "Creation" tab's inputs are updated to reflect the domain change.
This is my first C# project from scratch so there might be some exceptions here and there. If you find any that are show stoppers, please let me know. Overall most of the functionality should be pretty solid.