TCPWave | Modern DDI for cloud, Secure DNS, DHCP & IPAM(DDI) written in Java

GSS-TSIG(Generic Security Service Algorithm for Secret Key Transaction)

GSS-TSIG DNS Updates or secure dynamic updates is an extension to TSIG based updates that implement the secure key exchange. GSS API calls for the use of Kerberos for confidentiality, integrity, and authentication by establishing a limited lifetime security context. Once the system establishes the security context, it uses unique TKEY resource records to exchange key material securely between the DNS Server and DNS Client.

TCPWave's GSS-TSIG Integration

In the TCPWave IPAM, an enabled DNS zone receives dynamic updates from a Microsoft Active Directory Server. The system transfers the dynamic updates to the master TCPWave DNS appliance in GSS-TSIG mode. GSS-TSIG is an extension to the TSIG DNS authentication protocol for secure key exchange. It is a GSS-API algorithm that uses Kerberos for passing security tokens to provide confidentiality, integrity, and authentication.

To enable Active Directory updates on a DNS zone hosted on the TCPWave IPAM, check the "Enable AD Updates" option. An existing Domain Controller must be selected while adding and editing a DNS zone.

To perform secure active directory updates to IPAM using GSS-TSIG, the users must create active directory principal username mapping in the TCPWave IPAM and upload the generated Kerberos key tab file from the AD Server to the TCPWave IPAM.

Getting Started

Create a zone parent.tcpwave.com.
Navigate to Network Management >> DNS Management >> DNS Zones >> Managed DNS Zones >> Create a Zone.

Create DC object 1.0.0.0 in the IPAM by associating the above-created zone.
Navigate to Network Management >> IPV4 Address Space >> Select 1.0.0.0 network, subnet >> create a Domain Controller object in the given subnet.

Create AD User Principal.
Navigate to DNS Management >> DNS Security >> Activite Directory GSS-TISG Management (Get the keytab file from the DC server using the ktpass command provided by IPAM in the GSS TSIG page).

To generate a Key Tab File, execute the following command on the Active Directory Appliance.
ktpass - out < Out File name > -princ < Service name >/ < Principal name> @ < Realm name > -mapuser < Principal name > -pass < Password > - crypto < Encryption type selected > -ptype < Principal type selected >

Login to DC Server using RDP.
Create the user under the AD domain >> Open Server Manager >> Click on Tools >> select Active Directory Users and Computers >> Users >> Right click Add New User.

Display Name in user creation should always be Remote Appliance name.

Enable/register the DNS server in the DNS settings in the network connection properties.

Execute the ktpass command to get the keytab file.
Execute below ktpass command in command prompt of AD Server.
ktpass -out QA-remote2.out -princ DNS/[email protected] -mapuser QA-remote2 -pass XXXXXXXXXX -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL.
Navigate to C:\Users\Administrator to find the keytab file.

On the IPAM:
Upload the keytab file in DNS Management >> DNS Security >> Activite Directory GSS-TISG Management.

Enable Secure AD on a zone .
Navigate to DNS Management >> DNS Zones >> Managed DNS Zones >> select child.tcpwave.com zone >> click on Active Directory Tab >> click the checkbox Enable Secure Active Directory Updates.

When the system starts the AD updates, it also generates the monitoring alert regarding the Kerberos authentication from the DNS Remote.

The system generates the critical alert after starting updates.

Check from TCPWave's user interface whether showing CNAME and SRV records in the underscore zones.

For authentication between the DNS client and Active Directory, the AS-REQ, AS-REP, TGS-REQ, TGSREP exchanges must take place for granting of the ticket and establishing a security context. The security context has a limited lifetime during which dynamic updates to the DNS appliance can occur.