Forum Discussion

Alexander_Poly1's avatar
Alexander_Poly1
Icon for Altocumulus rankAltocumulus
7 years ago

APM Kerberos AUTH with strong encryption algorithm (AES) support.

Hello,

 

Tell me please which version of BIGIP support AES256 in keytab for Kerb Auth?

 

In my Enviroment (Win2012+BIGIPv13) I can use only rc4-arcfour-hmac in keytab (as described in manual https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/9.html). But, if I generate a key with the AES256 encryption, then the authentication does not work and the following errors occur:

 

**...modules/Authentication/Kerberos/KerberosAuthModule.cpp: 'display_status_1()': 94: 7bc9dd3a : GSS-API error gss_accept_sec_context: d0000 : Unspecified GSS failure. Minor code may provide more information ...modules/Authentication/Kerberos/KerberosAuthModule.cpp: 'display_status_1()': 94: 7bc9dd3a : GSS-API error gss_accept_sec_context: 186a5 :**

As I understand, changing the config (/etc/krb5.conf) manually is not supported (as each APM Policy update or restart apmd service overwrites the config).

 

1 Reply

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    7 years ago

    Hi Alexander,

    Today I've tested Kerberos Auth with use of AES-256-CTS-HMAC-SHA1-96 encryption and it works. Here some pointers that may help you.

    Create keytab:

    PS C:\Users\Administrator> ktpass -princ HTTP/[email protected] -mapuser [email protected] +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out c:\f5-kerberos-auth.keytab
Targeting domain controller: DOMAIN-DC-01.domain.local
Successfully mapped HTTP/host.domain.local to f5-kerberos-auth.
Password successfully set!
Building salt with principalname HTTP/host.domain.local and domain DOMAIN.LOCAL (encryption type 18)...
Hashing password with salt "DOMAIN.LOCALHTTPhost.domain.local".
Key created.
Output keytab to c:\f5-kerberos-auth.keytab:
Keytab version: 0x502
keysize 85 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x12 (AES256-SHA1) keylength 32 (0x84d225f16c76be4d39354ea15584e931384fe17394c5761376d4a52f96419d7d)
PS C:\Users\Administrator>

    In the Windows account you have created, make sure the following setting in the Account tab under 'Account settings' is enabled:

    This account supports Kerberos AES 256 bit encryption

    On the BIG-IP Kerberos AAA object, under Settings I use:

    SPN Format: Kerberos 5 NT Principal
Service Principal Name: HTTP/host.domain.local