Escolar Documentos
Profissional Documentos
Cultura Documentos
Good DynamicsTM
Legal Notice
This document, as well as all accompanying documents for this product, is published by Good Technology Corporation
(Good). Good may have patents or pending patent applications, trademarks, copyrights, and other intellectual property
rights covering the subject matter in these documents. The furnishing of this, or any other document, does not in any way
imply any license to these or other intellectual properties, except as expressly provided in written license agreements with
Good. This document is for the use of licensed or authorized users only. No part of this document may be used, sold,
reproduced, stored in a database or retrieval system or transmitted in any form or by any means, electronic or physical, for
any purpose, other than the purchasers authorized use without the express written permission of Good. Any unauthorized
copying, distribution or disclosure of information is a violation of copyright laws.
While every effort has been made to ensure technical accuracy, information in this document is subject to change without
notice and does not represent a commitment on the part of Good. The software described in this document is furnished
under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the
terms of those written agreements.
The documentation provided is subject to change at Goods sole discretion without notice. It is your responsibility to utilize
the most current documentation available. Good assumes no duty to update you, and therefore Good recommends that
you check frequently for new versions. This documentation is provided as is and Good assumes no liability for the
accuracy or completeness of the content. The content of this document may contain information regarding Goods future
plans, including roadmaps and feature sets not yet available. It is stressed that this information is non-binding and Good
creates no contractual obligation to deliver the features and functionality described herein, and expressly disclaims all
theories of contract, detrimental reliance and/or promissory estoppel or similar theories.
Legal Information
Copyright 2016. All rights reserved. All use is subject to license terms posted at www.good.com/legal. GOOD, GOOD
TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL,
GOOD DYNAMICS, SECURED BY GOOD, GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOOD
VAULT, and GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. All
third-party technology products are protected by issued and pending U.S. and foreign patents.
KCD
Table of Contents
Revision History
Video Tutorials
10
10
10
12
12
18
18
24
24
26
Step 1: Map the Good Control (GC) Service Account to a Service Principal Name (SPN)
26
KCD
13
28
28
29
31
Step 5: Enable the GC service account to act as part of the operating system
31
32
32
33
ConfigurationSteps
36
37
37
38
39
39
KCD
41
Revision History
Revision History
Kerberos Constrained Delegation
Date
Description
2016-01-15
2015-12-23
2015-12-01
Corrected port number in DNS for GC and GP in Separate Domains, Kerberos vs. KCD : port
88, not 5060
2015-11-10
Added note about the need to set up a Service Principal Name if you use DNS aliases in Step
3: Configure constrained delegation for the GC service account
2015-11-05
Emphasized the need for identical KCD configuration on all GC servers in a cluster in About
GD Clustering: Identical KCD Config on All GCs
2015-10-07
Corrected formerly missing link to Example krb5.conf Files for CAPATH Trust
2015-08-19
2015-07-22
2015-07-21
2015-07-09
Clarified necessities for SQL Database Account for Multi-Realm KCD Configuration : not db_
owner rights, but the actual owner of the database.
2015-05-19
Added a discussion of DNS setup needed when the GP is installed in a domain separate
from the GC. See Domains, Realms, Forests, Trusts, and GC and GP:Topologies .
2015-05-18
2015-05-11
Removed erroneous statement that the GC and GP must be installed in the same domain.
For normal Kerberos this is a requirement, but for KCD it is not needed.
2015-03-23
2015-03-03
In Concepts and Steps for a Typical KCD Single Realm Installation , for the setspn command,
clarified that some versions of Windows Server might need the -s option instead of the -a
option.
2015-01-23
Clarified the need for Good Control servers in resource realms. See Domains, Realms,
Forests, Trusts, and GC and GP:Topologies .
2015-01-15
Updated for latest release: support for multiple Kerberos realms and forests.
KCD
Revision History
Date
Description
2014-12-16
2014-11-04
2014-10-13
Clarified the meaning of target: the host name or user name to be protected by KCD.
2014-10-07
2014-09-25
2014-08-21
2014-08-13
Interaction diagram redrawn. "Foo" as name for protected server eliminated; this is the
target host, the host to be protected by Kerberos.
2014-08-12
Added note: If you have clustered your GCs, you must must run the setspn command for and
copy the keytab file to every machine in the cluster.
2014-08-11
KCD
Active Directory (AD) Server the directory service that authenticates and authorizes all users and
computers associated with your Windows network.
Kerberos Key Distribution Center (KDC) the authentication service on the AD server that supplies session
tickets and keys to users and computers in the Active Directory domain.
AD Support Tools additional tools that are used to configure, manage, and debug AD.
Video Tutorials
There are helpful video tutorials about configuring single-ream and multi-realm KCD:
KCD
Single-realm: https://community.good.com/videos/1443
Multi-realm: https://community.good.com/videos/1474
User impersonation is the Kerberos term for the configurations discussed in this document. Because the user
never presents any credentials in this configuration, but instead relies on the Active Directory and Kerberos
systems for authentication, the user is technically "impersonated." (User impersonation is technically distinct
from Kerberos resource delegation.)
REALM is the Kerberos term for a collection of "entities," either user realms or resource realms, which are any
realm other than a user realm. When entered on Kerberos command lines, the REALM name must always be in
uppercase.
Domain in this context means "directory service domain", most frequently from Active Directory.
The terms realm and domain are conceptually equivalent in KCD. The relationship is as follows:
1 Kerberos realm : n Good Control server : n Good Proxy
There must be a minimum of one Good Control server for each Kerberos realm. The GC must still reside in the
same Kerberos realm as the resource because cross-realm resource delegation is not supported. In addition, you
must ensure that all Good Proxy servers and clusters can communicate with all other GC and GP servers that you
intend to configuration for multi-realm KCD. Other requirements for multi-realm and forest topologies are
detailed below.
KCD
Version
Good Control
2.2.511.9
Good Proxy
2.2.511.3
2.1.1256
2.1.4439
Android
2.3.0.106
iOS
2.3.0.161
GDPhoneGap
2.1.57
Android
2.0.156
iOS
2.0.183
If in doubt about the exact version number of a product, check the Good Developer Network for the latest
release.
KCD
There must be a minimum of one Good Control server for each Kerberos realm. The GC must still reside in the
same Kerberos realm as the resource because cross-realm resource delegation is not supported. In addition, you
must ensure that all Good Proxy servers and clusters can communicate with all other GC and GP servers that you
intend to configuration for multi-realm KCD. Other requirements for multi-realm and forest topologies are
detailed below.
KCD
10
1. An application makes a request an internal server or service. We call this the target.
The target can be either a host name (server name) or an account that is to be protected by Kerberos/GD. For
instance, if you are running IIS on a server as the Network service, then the target is the computer running IIS
as Network. On the other hand, if you run IIS as an actual user (for instance, IISSrvUser), then target is that
user name, IISSrvUser.
Thus, if you have 1,000 IIS servers running as Network service, target is the names of those 1,000 machines.
But if you run IIS as a user on those 1,000 machines, then target is the name of that user.
Another example is WebSphere, in which case target is the Kerberos user name of the WebSphere service.
2. The target replies with an authentication challenge that the GD Runtime intercepts.
3. The GD Runtime sends a request to GC for a service ticket to access the target.
4. GC authenticates the user/container (via internal GD protocols) and asks for a service ticket on behalf of the
user (this is delegation) for the service on the target host.
5. Active Directory (AD) checks its local policy. Then (a) if the user has permission to access the resource on the
target host and (b) if the resource on the target host is allowed (this is constrained), AD returns to Good
Control a service ticket for the resource.
6. Good Control sends the necessary information from the returned service ticket to the GD Runtime.
7. The GD Runtime uses the information from GC to complete the authentication to the target host.
KCD
11
requests, not the GC, and the request is passed through (egress)the GP. This means that the GP needs to be
able to discover the name of Kerberos domain controller (server). In your Domain Name System (DNS), you
need to add an SRV record specifying the Kerberos service that enables this discovery. This SRV record must
be associated with an A or AAAA record, not a CNAME record. The syntax below is for a Kerberos domain
controller in an Internet domain named example.com:
KCD
SQLDatabase
If you are using Microsoft
SQL Server in the multirealm configuration,
make sure of the
following:
KCD
l
Ensure that
Forests
l
single realm
bidirectional,
KCD is working
transitive forest
before
trust.
configuring
12
Good Control
l
SQLDatabase
KCD
Forests
multi-realm
KCD.
domain is between
account.
Ensure that
target resources
are properly
must be transitive.
of the database.
configured for
KCD .
If a Kerberos
realm KCD
configuration must
use that same SQL
account.
KCD
13
2. Verification of the Good Control and Good Proxy connections to the parent domain, POD1.com
KCD
14
3. The logical layout of the multi-realm, single-forest configuration, with GC/GP servers
KCD
15
KCD
16
KCD
17
requests, not the GC, and the request is passed through (egress)the GP. This means that the GP needs to be
able to discover the name of Kerberos domain controller (server). In your Domain Name System (DNS), you
need to add an SRV record specifying the Kerberos service that enables this discovery. This SRV record must
be associated with an A or AAAA record, not a CNAME record. The syntax below is for a Kerberos domain
controller in an Internet domain named example.com:
KCD
SQLDatabase
If you are using Microsoft
SQL Server in the multirealm configuration,
make sure of the
following:
KCD
l
Ensure that
Forests
l
single realm
bidirectional,
KCD is working
transitive forest
before
trust.
configuring
18
Good Control
l
SQLDatabase
KCD
Forests
multi-realm
KCD.
domain is between
account.
Ensure that
target resources
are properly
must be transitive.
of the database.
configured for
KCD .
If a Kerberos
realm KCD
configuration must
use that same SQL
account.
KCD
19
2. Verification of the Good Control and Good Proxy connections to the parent domain, POD1.com
KCD
20
3. The logical layout of the multi-realm, single-forest configuration, with GC/GP servers
KCD
21
KCD
22
KCD
23
KCD
24
1. An application makes a request an internal server or service. We call this the target.
The target can be either a host name (server name) or an account that is to be protected by Kerberos/GD. For
instance, if you are running IIS on a server as the Network service, then the target is the computer running IIS
as Network. On the other hand, if you run IIS as an actual user (for instance, IISSrvUser), then target is that
user name, IISSrvUser.
Thus, if you have 1,000 IIS servers running as Network service, target is the names of those 1,000 machines.
But if you run IIS as a user on those 1,000 machines, then target is the name of that user.
Another example is WebSphere, in which case target is the Kerberos user name of the WebSphere service.
2. The target replies with an authentication challenge that the GD Runtime intercepts.
3. The GD Runtime sends a request to GC for a service ticket to access the target.
4. GC authenticates the user/container (via internal GD protocols) and asks for a service ticket on behalf of the
user (this is delegation) for the service on the target host.
5. Active Directory (AD) checks its local policy. Then (a) if the user has permission to access the resource on the
target host and (b) if the resource on the target host is allowed (this is constrained), AD returns to Good
Control a service ticket for the resource.
6. Good Control sends the necessary information from the returned service ticket to the GD Runtime.
7. The GD Runtime uses the information from GC to complete the authentication to the target host.
KCD
25
If the port is a default port (80 or 443), omit the first two lines above. Note that some of the lines need just a
host name while others need a fully qualified host name. If the application pool identity is for a built-in user
such as Network Service, then specify the host name as shown below, instead of domain\AppPoolUser
setspn S HTTP/SPHOST:PORT domain\SPHOST
setspn S HTTP/SPHOST.FQDN:PORT domain\SPHOST
setspn S HTTP/SPHOST domain\SPHOST
setspn S HTTP/SPHOST.FQDN domain\SPHOST
Note: If you are using SSL, the SPN must refer to HTTP instead of HTTPS.
4. Create a SPN for the Good Share Server process user as shown below:
setspn S HTTP/GSSHOST domain\GSSUser
setspn S HTTP/GSSHOST.FQDN domain\GSSUser
Step 1: Map the Good Control (GC) Service Account to a Service Principal
Name (SPN)
Note: For more information on how to create/modify SPNs, see https://technet.microsoft.com/enus/library/cc731241.aspx
To use the command line, open an administrator command prompt on the AD machine and enter:
KCD
26
4. In the Value to Add popup, enter GCSvc//fqdn_gc_host_machine as a new SPN, using a host machine name
appropriate to your environment.
Important: If you have clustered your GC servers, you must run these commands for every GC server in the
cluster.
KCD
27
outfilename
kerberos_account
REALM_IN_ALL_CAPS
kerberos_account_password
Note: In the following example, note that the Kerberos realm GD.QAGOOD.COM is in all capital letters:
ktpass /out gdadmin.keytab /mapuser gdadmin@GD.QAGOOD.COM /princ gdadmin@GD.QAGOOD.COM
/pass gdadmin /ptype KRB5_NT_PRINCIPAL
This results in the following example:
KCD
28
3. Copy the new keytab file (gdadmin.keytab in the example) saved in this directory to the GC server.
Important: If you have clustered your GC servers, you must copy the keytab file to every GC server in the
cluster.
KCD
29
3. Enable Trust this user for delegation to specified services only by activating its radio button.
4. Also enable Use any authentication protocol, then click Add
KCD
30
7. Click OK in the Add Services popup, then click OK again in the Properties popup.
2. In the Windows Authorization Access Group Properties popup, click the Members tab, then click Add
3. In the Select Users, Contact, Computers or Group popup, enter the name of the GC service account, and
click OK.
KCD
31
3. In the Properties popup, click on Add User or Group, then enter the name of the GC service account and
click OK.
All GCs in the multi-realm KCD configuration must use that same SQL account.
KCD
32
KCD
33
KCD
34
1. A user in realm 1 with a GD SDK enabled application makes a request to a resource in realm 2
2. The target resource replies with an authentication challenge that the GD runtime intercepts
3. Base on the challenge information, the GD runtime sends a request to a GC that resides in the same realm as
the target resource. The request is for a service ticket to access the target resource.
4. GC authenticates the user/container (via internal GD protocols) and asks for a service ticket on behalf of the
user (this is delegation) for the service on the target host.
KCD
35
5. Active Directory (AD) checks its local policy and determines that the user is in a remote realm. AD returns a
referral to the GC to contact the remote AD for authorization.
6. GC follows the referral to the new AD server for authorization.
7. The realm 1 AD server receives and authorization request. Base on its policy, the AD server will return the
appropriate authorization response.
8. The GC sends the authorization response to the original AD in realm 2.
9. Base on the authorization response, (a) if the user has permission to access the resource on the target host
and (b) if the resource on the target hose is allowed then AD returns to Good Control a service ticket for the
resource
10. Good Control sends the necessary information from the returned service ticket to the GD runtime.
11. The GD runtime uses the information from GC to complete the authentication to the target host.
ConfigurationSteps
The steps here are high-level. They rely on information from Concepts and Steps for a Typical KCD Single Realm
Installation and on other sources, as indicated below.
Step
See Also...
KCD
36
Step
See Also...
Update GC Configuration.
Configure Test KCD website for testing (optional)
Optional/Required
Description
gc.krb5.enabled
Required
The first four properties listed below must be set when gc.krb5.enabled = true.
gc.krb5.kdc=kdc_host_
name
Required
gc.krb5.principal.name=
gc_service_account
Required
gc.krb5.realm=REALM
Required
gc.krb5.keytab.file=
keytab_file_location
Required
KCD
37
[libdefaults]
default_realm = NA.POD1.COM
[realms]
NA.POD1.COM = {
kdc = pod1-na-ad.na.pod1.com
}
[capaths]
NA.POD1.COM = {
APAC.POD2.COM = POD2.COM
POD2.COM = POD1.COM
POD1.COM = .
}
POD2.COM = {
NA.POD1.COM = POD1.COM
POD1.COM = .
}
APAC.POD2.COM = {
NA.POD1.COM = POD1.COM
POD1.COM = POD2.COM
POD2.COM = .
}
KCD
38
The two most important parameters in the error messagesare krbErrCode and krbErrText, which furnish a
description of possible error conditions detected.
Complete documentation for Microsoft's Kerberos error messages is available at
http://technet.microsoft.com/en-us/library/bb463166.aspx .
KCD
39
http://blogs.technet.com/b/askds/archive/2008/05/29/kerberos-authentication-problems-service-principalname-spn-issues-part-1.aspx
http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principalname-spn-issues-part-2.aspx
http://blogs.technet.com/b/askds/archive/2008/06/11/kerberos-authentication-problems-service-principalname-spn-issues-part-3.aspx
KCD
40
Title
l
Security
Servers
Description
Overviews of the Good Dynamics system
GD Sizing Guide
Direct Connect
KCD
41
Category
Title
l
Software
Development
Android
iOS
Windows
Crossplatform
Basic control and application management: SOAP over HTTPS. Documentation is in the WSDL files
included with GC.
Device management: HTTPAPI(with JSON) for device management. Zipfile of API reference.
iOS, Android
Description
Working with the GD SDKand the Xamarin crossplatform integrated development environment
For Xamarin.Android, no separate API reference is
needed; see the standard GD SDK API Reference for
Android
KCD
42