APM Kerberos/SPNEGO to Tomcat (CAS)

Question

We are working on setting up SPNEGO authentication with Apereo CAS (https://apereo.github.io/cas/4.2.x/index.html) running on Linux, and I have a few things I would like clarification on.&nbsp;
We need APM to present a logon page to a user, and then use Kerberos to authenticate them to the CAS server.&nbsp;
It looks like a user account is required for the CAS service, and that ktpass.exe must be used to export the keytab file for that user.&nbsp;
Here are the questions I have:&nbsp;

How many Active Directory user accounts are needed for this? I assume we need a delegation account for the F5s, and we also need a service account for CAS. Or do we need to use the same delegation account for the CAS service as well?

If two accounts are needed, what do the corresponding SPNs need to be? Here is the hostname information:&nbsp;

castst.company.com - URL of the application that users will be accessing. Points to an F5 VIP.&nbsp;
castst01.company.local - Hostname of CAS server. Refuses any traffic not for castst.company.com, forcing users to go through the F5.&nbsp;
For the delegation account, would I set the SPN to be HTTP/castst.company.com@COMPANY.LOCAL? And then for the service account set it to be HOST/castst01.company.local@COMPANY.LOCAL?&nbsp;
Thanks in advance.&nbsp;
P.S. Specific documentation regarding the CAS configuration can be found here:&nbsp;
https://wiki.jasig.org/display/CASUM/SPNEGO&nbsp;
https://apereo.github.io/cas/4.2.x/installation/SPNEGO-Authentication.html&nbsp;

michaelatf5 · Answer

You only need to export a keytab if you are performing Client-Side Kerberos.  For Server-Side Kerberos, just set up a Kerberos SSO profile in APM.  You will need an S4uProxy Account.&nbsp;
I explain Apache here:  https://devcentral.f5.com/articles/us-federal-enabling-kerberos-for-smartcard-authentication-to-apache?tag=federal &nbsp;
Tomcat follows the same basic configuration as far as APM is concerned.&nbsp;

kevin_stewart · Answer

APM Kerberos does protocol transition, so it doesn't really matter what the external URL is. You can use a single internal account, but it's recommended to have two separate accounts - one for the service itself and one for the delegation account to access the service. The delegation account is used by APM to request an S4U ticket to the service and its name is arbitrary (but unique). So for example,&nbsp;
Your delegation account might be HOST/krb.company.local@COMPANY.LOCAL&nbsp;
Your service account would be HTTP/castst.company.com@COMPANY.LOCAL&nbsp;
And the delegation account would be configured to delegate to the service account (with the "any protocol" option to enable S4U).&nbsp;

Forum Discussion

APM Kerberos/SPNEGO to Tomcat (CAS)

Recent Discussions

ip x-forwarding

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Related Content

F5 monitor for Tomcat/Pega

Creating, Importing and Assigning a CA Certificate Bundle

SSL Client Certification Alert 46 Unknown CA

Form Based Authentication with Tomcat not working on F5

Apache Tomcat Remote Code Execution via JSP upload (CVE-2017-12615 / CVE-2017-12617)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS