Algorithm to resolve host names

Edit online

The following process is used to map a service principal name to a key in the SPNEGO key table:

Resolve the host name to an IP address. The mapping process depends on your host name resolution configuration. Typically, the Hosts file is checked first followed by any DNS servers that may be configured on the appliance.
If the resolution succeeds, the process continues with step 2.

If the resolution fails, the canonical name is assumed to be the same as the host name. The process continues with step 3.
Resolve the IP address to the canonical name. The mapping process depends on your host name resolution configuration. Typically, the Hosts file is checked first followed by any DNS servers that may be configured on the appliance.
If the IP address is found in the Hosts file, the canonical name is set to the first host name that is listed.

If the IP address is not found in the Hosts file, the DNS server is queried to complete a reverse lookup on the IP address. If the DNS server returns a host name for this IP address, this host name becomes the canonical name.
If the IP address is not found in the Hosts file and if the DNS server does not return a host name for this IP address, the canonical name is assumed to be the same as the host name.
Common error
The Hosts file lists the short name of the host before the fully qualified host name, the format of the Hosts file is incorrect. Entries in the Hosts file are in the following format:
```
IP_address fully_qualified_hostname short_name
```
When the format is incorrect, host name resolution might return the short name. The canonical name is then set to this short name. When this issue occurs, the Web server searches for the wrong key in the key table. The canonical name must be set to match the host name that clients use to contact the Web server.
Map the canonical name from step 1 or step 2 to the realm name by checking the [domain_realm] stanza of the /var/PolicyDirector/etc/krb5.conf file. Each entry in this stanza maps a host name or domain name to a realm name.
The canonical host name if checked against each of the host entries. If a matching host entry is found, the realm name becomes the realm that is specified for the host. If no matching host entry is found, the domain entries are checked. If a matching domain entry is found, the realm name becomes the realm that is specified for that domain.
If no matching domain entry is found, the realm name becomes the value of the [libdefaults] default_realm entry in the /var/PolicyDirector/etc/krb5.conf file.
Common error

The entries in the [domain_realm] stanza of the /var/PolicyDirector/etc/krb5.conf file are incorrect.

Resolution
Verify that the realm name specified in the [domain_realm] stanza is correct, and verify that the canonical name matches a host or domain entry in this stanza. This can be checked with one of the following methods:
- The Local Management Interface: Web > Global Settings > Kerberos Configuration
- Examine the /var/PolicyDirector/etc/krb5.conf directly after creating a Support File.
Verify that the key table contains this entry.
Common error

If the short name of the host is listed before the fully qualified host name in the Hosts file, host name resolution might return the short name. The canonical name is then set to this short name. When this happens, the Reverse Proxy searches for the wrong key in the key table. The canonical name must be set to match the host name that clients use to contact the Reverse Proxy.

Resolution
Check the SPNEGO key table for an entry in the following format:
```
HTTP/canonical_name@realm_name
```
There is a test function available in the appliance LMI to test Kerberos keyfiles.
1. Navigate to Web > Global Settings > Kerberos Configuration panel.
2. Select the Keyfiles tab.
3. Click Test.