Kerberos rdns=false Breaking Connections From Linux Clients to Windows IIS Server

iis-8.5 kerberos mitkerberos

Recently I changed the krb5.conf file on Linux clients to use:

[libdefaults]
rdns = false

These clients can still successfully use kerberos auth to connect to other Linux webservers. However, now their connections break to IIS webservers. An example error I see is:

< HTTP/1.1 401 Unauthorized
< Content-Type: text/html
< Server: Microsoft-IIS/8.5
* gss_init_sec_context() failed: Server not found in Kerberos database.

However, when I remove rdns=false, the Linux clients can auth/connect without issue. I am able to consistently recreate this behavior by adding rdns=false and seeing failures and then removing it and seeing successes. Why does rdns=false break connections from Linux Clients to IIS Webservers?


But isn't this error coming from the IIS webserver?

No, it's coming from the GSSAPI library (libkrb5) used by curl.

Why does a client's configuration setting impact the webserver's functionality? ie- what does the webserver care if the client does a reverse lookup or not and how does it even know if the client does a reverse lookup?

Kerberos tickets get issued for a specific server FQDN, similar to TLS certificates. When you want to talk to app.example.com over HTTP, your client has to request a ticket for the HTTP/[email protected] service principal.

However, unlike TLS (which looks at the domain in your URL and nothing else), traditional Kerberos implementations determine the principal name using reverse DNS of the server's IP address, which can result in the client requesting tickets for a completely different SPN than the one displayed in the URL.

This is especially common with multiple domains pointing to single webserver, or with a domain using DNS round-robin to multiple webservers. For example, if your "app.example.com" actually points to a server that was AD-joined as "web01.example.com", then previously curl was successfully requesting tickets for "HTTP/web01.example.com" (which AD knows) but now it is requesting tickets for "HTTP/app.example.com" which your AD domain controllers do not know, and therefore cannot issue tickets for.

If the domain points to just one IIS server, setspn would solve this by essentially adding an alias for the same Kerberos key.

(This MIT/Heimdal Kerberos behavior is different from Windows clients, which always behave as if they had rdns=off, if I remember that correctly.)

Related

How can I make synology reverse proxy work inside my local / private network and/or over VPN (and do I need to?)?
iptables - Allow only incoming SSH from WAN and block outcoming traffic from LAN
How to tell .htaccess to only allow requests to index.php and app/dist/* folder?
How to forward HTTPS traffic through squid transparently?
SSH random connect timeout
Intune device not in Endpoint Manager
ssh remote command parsing gone wrong
nginx TCP forwarding with GeoIP
Receiving notifications from a remote machine as a local event
GCP metadata Transferring to SSH Keys - Permission Denied
Apache2 Server Huge response time
Server Time Keeps Changing to 2 Hours in the Future