For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ktm_2000's avatar
ktm_2000
Icon for Altostratus rankAltostratus
Nov 08, 2024

Can you set Kerberos AAA server via session variable?

Folks, 

 

I am looking to setup Kerberos so folks do not need to keep entering their credentials and have been doing some testing.     I have a couple test policies setup and assigned to their own VIP.    each policy I have configured a Service account and created a keytab file specifically for the vip it relates to.     Inside the policy I have the specific kerberos AAA server defined which has the keytab file linked to it.   I have been able to get the policies to work as expected and the clients pick up the keberos ticket and successfully authenticate.

 

The challenge I face is that we have an awful lot of vips and tend to share logon policies and do not want to have a logon policy per app so I am looking for a way to keep it as simple as possible.

 

I tried in vain to create a *.domain  keytab and spn  and that didn't work,     I have tried and succeeded adding multiple keytabs together and while it did work,   the volume of apps,  I'll mess it up somewhere and it would be impractical

 

the theory I have is that if I made an ad service account per app,  create a keytab per app,  create a kerberos AAA server per app with the name of the AAA server the same as the vip,   I could create a common logon policy,   read the variable of what VIP I am trying to access,   use that variable as the kerberos AAA server name and have the logon process check against that SPN.

 

thoughts??   is there a more simple way of doing this?

application delivery

1 Reply

  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Nacreous rankNacreous
    Jun 26, 2025

    Hi ktm_2000​ 

    The simplest way would be to use a single keytab file lets say for sso.example.com and set a multi domain sso policy with sso.example.com as primary domain. Then you add the rest domains.
    So when a user tries to access app1.example.com apm will redirect him to sso.example.com where he could authenticate with kerberos and then will be returned to app1

    An other way is to have a unique login policy just for sso.example.com with kerberos and have other policies SAML federated to sso 

    And the last option is to have multiple keytabs and then inside the policy check the hostname requested and have multiple branches, one for each hostname, and assign different kerberos auth for each.