For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RiverFish's avatar
RiverFish
Icon for Altostratus rankAltostratus
Aug 16, 2017

App auth breaks when put behind F5

We have an internal IIS 7 site that uses kerberos for auto login. When we put it behind the F5 and point DNS to the VIP the seamless kerberos auth breaks (there's just the one server in the pool). Is...
application delivery
BIG-IP Access Policy Manager (APM)
LTM
Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
Aug 16, 2017

Hi,

 

You may have several issues here :

 

  • Invalid SPN configuration,
  • Kerberos token too big (> 32 Kb),
  • ...

What is the behavior observed when putting the bigip device in front of the application ?

 

If you start a packet capture or an HTTP trace on the browser (Burp, httpwatch, fiddler, Developer tools, ...), you may see if you get a response 401, a tcp reset, a basic fallback or some other things you may find.

 

APM module is required when you require to terminate Kerberos authentication on the bigip device which is not the use case you described. So APM is not required in your situation

 

Yann

 

RiverFish's avatar
RiverFish
Icon for Altostratus rankAltostratus
Aug 17, 2017

I will have to reach out to the app owner to get the AD and IIS kerb config. Will get back to you. I modified local etc/hosts file so FQDN has not changed. Here is the VIP:

ltm virtual i2ddev.ab.abc.com-443-vs {
    destination 10.10.10.1:https
    ip-protocol tcp
    mask 255.255.255.255
    pool i2ddev.ab.abc.com-443-pl
    profiles {
        clientssl-i2ddev.ab.abc.com {
            context clientside
        }
        http { }
        serverssl {
            context serverside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vs-index 6
}