VMWare View Composer Server can not authenticate to DSFW

  • 7004290
  • 24-Aug-2009
  • 22-Jan-2015

Environment

Novell Open Enterprise Server 2 SP1 (OES 2SP1)
Novell Open Enterprise Server 2 SP2 (OES 2SP2)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Novell Open Enterprise Server 11 (OES11)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Novell Open Enterprise Server 11 SP2 (OES11SP2)
Domain Services for Windows
DSFW

Situation

The VMWare View Composer Server fails to authenticate to DSFW.  A LAN trace shows a kerberos error "KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN".

The VMWare View Composer Server requests the ticket for the service principal name “ldap/<ip address of DSFW DC>”. If the correct SPN is not returned then the View Composer Servers attempts to authentication using NTLMSSP. By default AD and DSFW do not create a SPN with “ldap/<ip address of DSFW DC>”. DSFW does not support NTLMSSP hence the NTLMSSP exchange does not complete. However, in the case of AD NTLMSSP is supported and hence the LDAP authentication works even when the earlier service ticket retrieval fails because of an incorrect principal name.

Below is an example of a LAN trace.



Resolution

Starting with OES11SP2 NTLMSSP (NTLM over LDAP) is supported.
Upgrade all DSfW servers to OES11SP2 and enable NTLM over ldap when running the "Feature Provisioning Wizard".

For OES11SP1 or earlier DSfW servers do the following:
VMware View Composer Server does not use the standard service name format "ldap/<hostname of DSFW DC>" we need to create a SPN with the format View Composer Server is requesting "ldap/<ip address of DSFW DC>".

To create the SPN the View Composer Server is looking for:

  1. Edit the Domain Controller object using iManager or ConsoleOne
  2. The DC object is the name of the DSFW server and is present in "ou=domain controllers,<dc=...>".
  3. Go to the other tab and edit the servicePrinciplaName attribute.
  4. Add ldap/<ipaddress> attribute value on the servicePrincipalName attribute
  5. Restart the DSFW serverices “xadcntrl reload”
Below is a screen shot of adding a SPN

Additional Information

Windows 2003 (R2) servers are affected by this issue.
Windows 2008 (R2) servers can be affected by this issue.
Windows 2012 servers can be affected by this issue.

SASL NTLMSSP Bind Support

DSfW now includes NTLM support for LDAP authentication. If Kerberos is down or a legacy third-party application is limited only to NTLM authentication, the NTLM support for LDAP authentication goes into effect. This NTLMSSP support is layered over the SASL GSS-SPNEGO mechanism. For more information, see “Support for SASL NTLMSSP Bind in LDAP” in the OES 11 SP2: Domain Services for Windows Administration Guide.