For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RiverFish's avatar
RiverFish
Icon for Altostratus rankAltostratus
Aug 16, 2017

App auth breaks when put behind F5

We have an internal IIS 7 site that uses kerberos for auto login. When we put it behind the F5 and point DNS to the VIP the seamless kerberos auth breaks (there's just the one server in the pool). Is...
application delivery
BIG-IP Access Policy Manager (APM)
LTM
Yann_Desmarest_'s avatar
Yann_Desmarest_
Icon for Nacreous rankNacreous
Aug 16, 2017

Hi,

 

You may have several issues here :

 

  • Invalid SPN configuration,
  • Kerberos token too big (> 32 Kb),
  • ...

What is the behavior observed when putting the bigip device in front of the application ?

 

If you start a packet capture or an HTTP trace on the browser (Burp, httpwatch, fiddler, Developer tools, ...), you may see if you get a response 401, a tcp reset, a basic fallback or some other things you may find.

 

APM module is required when you require to terminate Kerberos authentication on the bigip device which is not the use case you described. So APM is not required in your situation

 

Yann

 

Yann_Desmarest_'s avatar
Yann_Desmarest_
Icon for Nacreous rankNacreous
Aug 17, 2017

It looks like the user provides a Kerberos token but the backend server refuses it.

 

What is the kerberos configuration you have done on the Active Directory and on the IIS server to make Kerberos works ?

 

Did you change the DNS name or you just changed the DNS record to point to the VIP ?

 

What is the configuration of your Virtual Server ?

 

I saw that NTLM is also supported but require a OneConnect profile and NTLM profile applied on a Virtual Server to make it works through BIG-IP.