EducationSoftwareStrategy.com
StrategyCommunity

Knowledge Base

Product

Community

Knowledge Base

TopicsBrowse ArticlesDeveloper Zone

Product

Download SoftwareProduct DocumentationSecurity Hub

Education

Tutorial VideosSolution GalleryEducation courses

Community

GuidelinesGrandmastersEvents
x_social-icon_white.svglinkedin_social-icon_white.svg
Strategy logoCommunity

© Strategy Inc. All Rights Reserved.

LegalTerms of UsePrivacy Policy
  1. Home
  3. Topics

KB440786: How to configure MicroStrategy Library for Integrated Authentication (Kerberos) using AES 256 encryption.

Community Admin

• Strategy

This technical note describes how to configure MicroStrategy Library for Integrated Authentication (Kerberos) using AS 256 encryption.

SUMMARY
The article How to configure Kerberos Authentication for MicroStrategy Library 10.x using Tomcat on Windows and Linux shows a step by a step guide on how to configure Strategy Library and Integrated Authentication (Kerberos) however, when following it, the user can face challenges if using AES 256 encryption. Below are the steps that need to be followed in order to get it working:

  1. Download JCE (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)  and place it under C:\Program Files (x86)\Common Files\Strategy\JRE\180_77\Win64\lib as that's the default JAVA_HOME for the Tomcat version shipped with Strategy. 
  2. Make sure AES 256 is enabled for the UPN.
  3. The following command can be run to generate the keytab (this is just a guide, equivalent commands can be used for this step):
    1. ktpass /out "YOUR_DIR" +DumpSalt -princ "YOUR_PRINCIPAL" -pass "PRINCIPAL_PASSWORD" /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /kvno 2
    • replace YOUR_DIR with the directory you want to place the keytab on.
    • replace YOUR_PRINCIPAL with the UPN name (dstanlibk in the previously referenced article)
    • replace PRINCIPAL_PASSWORD with the password of YOUR_PRINCIPAL
    • make sure the password is provided via cmd line (do NOT use interactive mode /pass *)

Explanation of 3.1:
+DumpSalt - The output of this parameter shows the MIT salt algorithm that is being used to generate the key
/ptype {KRB5_NT_PRINCIPAL} - Specifies the principal type, general principal type in this case.
/crypto - Specifies the keys that are generated in the keytab file,  AES256-SHA1 employs AES256-CTS-HMAC-SHA1-96 encryption in this case.
EXAMPLE
ktpass /out C:\kerberos\dstanlibk.keytab +DumpSalt -princ dstanlibk@XXXXX.XXXXX.XXXX -pass 123*Strategy /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /kvno 2
Output:
Building salt with principalname dstanlibk and domain XXXXX.XXXXX.XXXX
 (encryption type 18)...
Hashing password with salt "XXXXX.XXXXX.XXXX".
Key created.
Output keytab to C:\kerberos\dstanlibk.keytab:
Keytab version: 0x502
keysize 86 dstanlibk@XXXXX.XXXXX.XXXX ptype 1 (KRB5_NT_PRINCIPAL) vno
2 etype 0x12 (AES256-SHA1) keylength 32 (0x733401de85faccfdadc40688cfa021098a4bd
5a7827a283cd646952fb198d371)
Notes:

  • if after following these steps you are still facing issues, please check the salt being used when generating the keytab and make sure is the right one.

After finishing the steps outlined below you can continue with the configuration as stated in  How to configure Kerberos Authentication for MicroStrategy Library 10.x using Tomcat on Windows and Linux.
  KB440786

Comment

0 comments

Details

Knowledge Article

Published:

May 9, 2018

Last Updated:

January 3, 2019