Forum Discussion

Alexander_Poly1's avatar
Alexander_Poly1
Icon for Altocumulus rankAltocumulus
Dec 20, 2018

APM Kerberos AUTH with strong encryption algorithm (AES) support.

Hello,

 

Tell me please which version of BIGIP support AES256 in keytab for Kerb Auth?

 

In my Enviroment (Win2012+BIGIPv13) I can use only rc4-arcfour-hmac in keytab (as described in manual https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/9.html). But, if I generate a key with the AES256 encryption, then the authentication does not work and the following errors occur:

 

**...modules/Authentication/Kerberos/KerberosAuthModule.cpp: 'display_status_1()': 94: 7bc9dd3a : GSS-API error gss_accept_sec_context: d0000 : Unspecified GSS failure. Minor code may provide more information ...modules/Authentication/Kerberos/KerberosAuthModule.cpp: 'display_status_1()': 94: 7bc9dd3a : GSS-API error gss_accept_sec_context: 186a5 :**

As I understand, changing the config (/etc/krb5.conf) manually is not supported (as each APM Policy update or restart apmd service overwrites the config).

 

application delivery
BIG-IP Access Policy Manager (APM)

1 Reply

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Dec 24, 2018

    Hi Alexander,

    Today I've tested Kerberos Auth with use of AES-256-CTS-HMAC-SHA1-96 encryption and it works. Here some pointers that may help you.

    Create keytab:

    PS C:\Users\Administrator> ktpass -princ HTTP/host.domain.local@DOMAIN.LOCAL -mapuser f5-kerberos-auth@DOMAIN.LOCAL +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out c:\f5-kerberos-auth.keytab
Targeting domain controller: DOMAIN-DC-01.domain.local
Successfully mapped HTTP/host.domain.local to f5-kerberos-auth.
Password successfully set!
Building salt with principalname HTTP/host.domain.local and domain DOMAIN.LOCAL (encryption type 18)...
Hashing password with salt "DOMAIN.LOCALHTTPhost.domain.local".
Key created.
Output keytab to c:\f5-kerberos-auth.keytab:
Keytab version: 0x502
keysize 85 HTTP/host.domain.local@DOMAIN.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x12 (AES256-SHA1) keylength 32 (0x84d225f16c76be4d39354ea15584e931384fe17394c5761376d4a52f96419d7d)
PS C:\Users\Administrator>

    In the Windows account you have created, make sure the following setting in the Account tab under 'Account settings' is enabled:

    This account supports Kerberos AES 256 bit encryption

    On the BIG-IP Kerberos AAA object, under Settings I use:

    SPN Format: Kerberos 5 NT Principal
Service Principal Name: HTTP/host.domain.local