-
标题
How to configure a cross-domain krb5.config file -
说明
There are some scenarios where the OS metrics cannot be collected when using WinRM.
For example: when checking the domain of the OS Server and the domain of the user credentials used in the connection, both domains are different.
-
原因
You are using an account from domain1 to authenticate on domain2, but there is no SPN on domain1's KDCs for any host from domain2's REALM the SPN references the services (E.g WINRM) that the workstation / server has in the domain.
Usually when going cross domain, if an user from a different domain from what the server accesses and there is trust between domains, the account will be validated in its KDC, but no SPN information will be available for the server and its SPN in that KDC. Realm definitions for both domains are required in the Kerberos configuration.
-
解决办法
The krb5.config file contains standard Kerberos configuration information. When a cross domain situation occurs, the krb5.config file needs to be configured in order to consider both domains. The format of the cross domain krb5.config file is:
[libdefaults] default_realm = DOMAIN1.COMPANY.LOCAL [realms] DOMAIN1.COMPANY.LOCAL = { kdc = DC1.DOMAIN1.COMPANY.LOCAL } DOMAIN2.COMPANY.LOCAL = { kdc = OTHERDC.DOMAIN2.COMPANY.LOCAL } [domain_realm] .domain1.company.local = DOMAIN1.COMPANY.LOCAL .domain2.company.local = DOMAIN2.COMPANY.LOCALWhere:
- DOMAIN1 will be the domain of the User credentials.
- DOMAIN2 will be the domain of the OS server.
-
其他信息
As detailed above, it is necessary to respect the uppercase and lowercase format of the krb5. config file. If any changes occurs in the krb5.config file, the agent manager should be restarted in order to use the new configurations.