For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JoeTheFifth's avatar
JoeTheFifth
Icon for Altostratus rankAltostratus
Jul 07, 2017

Ok got it working. I have read different docs and posts to get to the right info but had to use network monitor to see that the last error I was getting (Server not found in Kerberos database) was due the format of the service account used in the SSO conf being samaccountname instead of the SPN format. the KDC in domainb was not able to locate the SPN of the service account since no realm name was being sent in the request.

 

LTM version 11.5.4 In order for the bigip to get a kerberso ticket for a user in domainB (forestB) to a ressource in domainA (forestA) you need:

 

  • enter the SPN format of the delegation service account name in the Kerberso SSO configuration
  • Leave the KDC entry empty when you are in my case = cross forest/domain setup
  • Webapplication or ressource must be in the same domain (domainA here) as the delegation service account.

Of course when using a hostname for your site like webapp1.coolapp.com which is not a subdomain of your Active directory domain you have to add a UPN mapping to the domainA to specify that the KDC responsable for this hostname (remember your web app service account uses HTTP/webapp1.coolapp.com as its SPN). so any queries for this SPN will be fulfilled by the domainA KDC.

 

UPN Routing: https://blogs.msdn.microsoft.com/spatdsg/2008/08/21/kerberos-domain-routing/ https://blogs.technet.microsoft.com/askds/2009/04/10/name-suffix-routing/

 

just for reference the other error I was getting was: Realm not local to KDC I as getting this error when I was specifying a KDC (domainA domain controller) in the KDC text box in the SSO config. In cross domain you should leave this empty.

 

IMPORTANT NOTE: When you change the service account format do reenter the password and most of all do run this command to purge all the web sso kerberos cache:

 

bigstart restart websso

 

https://f5guru.com/2016/08/23/kerberos-is-easy-part-2/

 

JoeTheFifth's avatar
JoeTheFifth
Icon for Altostratus rankAltostratus
Jul 11, 2017

Another important config element: Name resolution. I tested these configuration: 1. Adding Trusted domain Realms in the bigip kerb5.conf (in the /etc/ folder) => Works fine. Make it possible fo the bigip to find the KDCs of the trusted domains because, remember, you should not put them in the SSO config in a trusted domain setup.

 

  1. Adding the KDCs (domains controllers) to the hosts file of the BigIP => does not work in my case.

     

  2. Adding DNS servers of the trusted domains to the bigip DNS conf => Works fine

     

Now to the web application hostname: I added the hotsname webapp1.coolapp.com to the bigip hosts file when I started working on this setup and forgot it there. My SSO started working when I did all the pieces and I thought that the BigIp was getting the tickets for users and sending them to the pool members (servers) since the web servers and delegation service account are in the same domain. But I never thought of how the bigip finds the web server behind the SPN/hostname webapp1.coolapp.com. I removed the web app hostname from the bigip hosts file and the SSO stopped working. so It looks like the higip has to resolve the hostname to a webserver to do the kerberos delegation. I thought it automatically does this since I'm asking for hostname webapp1.coolapp.com on a VS which has servers behind so why does the system need to know where the hostname is hosted !!! in a production environement this does not make sense because the hostname will registred in DNS as hostname = VS ip !!! I'm still testing so wil come back with more info on this later.