Secure Email Kerberos tester tool

Configuring Secure Email Gateway on UAG is not particularly difficult and is quite well documented on VMware docs.

When it comes to Kerberos authentication however, things are getting more complex. You will have to setup integration with certificate services, make changes to your Exchange environment and configure SPN in Active Directory. If you want to configure SEG with Kerberos on UAG, just follow the documentation for SEG on Windows. You can find it here.

Everything will go well … until you run into issues with Kerberos 😉 and they you’ll have to start troubleshooting.

Rollup your sleeves, switch on debug logs and dig into Wireshark! This has been documented well by @m0bilej0n here. Big 🙏 for that!

in this post I want to share with you a nice and handy Kerberos tester tool which is included in UAG! This useful tool enables you to test your Kerberos setup. It will request a kerberos ticket for a user with your service account and provide detailed logs.

How does it work?

When SEG edge service is enabled on UAG, SSH into your UAG and follow the below steps to run Kerberos tester tool.

Get the docker container ID using below command: 

docker ps

SSH into the docker container using the obtained container ID. You will be logged into the container working directory “/opt/vmware/seg“: 

docker exec -it containerID /bin/bash

To set the environment variables required for KCD Client tool to run 

export KRB5CCNAME=”MEMORY:”

export KRB5_CONFIG=”/opt/vmware/seg/config/kerberos/krb5.conf”

NOTE: After every docker exec login, execute these two export commands as it will be separate bash session.

Run the below command to check if a Kerberos token can be obtained for the mentioned UPN. For UAG 3.10, the KCD client binary is located in the “kerberos-client” subfolder of the working directory (“/”), and named as /opt/vmware/segkerberos-clientVMware-KCD-Client. Run the below command: 

./kerberos-client/VMware-KCD-Client -m kerberostest -n spn -w service_account@domain_lowercase@domain_uppercase -p password -u username@domain_uppercase

For example: ./kerberos-client/VMware-KCD-Client -m kerberostest -n HTTP/mail-vmwkcd.ssdevrd.com -w servKCD@vmwkcd.org@VMWKCD.ORG -p
Password@2 -u MEM1@VMWKCD.ORG

Here a screenshot of the output of the Kerberos tester tool

Leave a Reply

Your email address will not be published. Required fields are marked *