Forum Discussion

balaaj_217997's avatar
balaaj_217997
Icon for Nimbostratus rankNimbostratus
Aug 20, 2015

f5 and Kerberos SSO sap BI

Hi We are using F5 load balancer and we enable kerberos sso . Its works like a charm with direct link . However its not working with f5 Dns name bi.temp.com Full url is https://bi.temp.com Service user. Sapuser Direct url. Domain. Xyz.com Spn Setspn -a http/biserver sapuser Setspn -a http/biserver.xyz.com sapuser Setspn -a http/biserver2 sapuser Setspn -a http/biserver2.xyz.com sapuser Setspn -a http/bi.temp.com

 

Its prompting for username and password

 

Any inputs

 

  • So which SPN/FQDN is working and which is not? Have you configured the browser to allow Kerberos auth to these other URLs?

     

  • spn for f5 ie is http/bi.temp.com is not working.

     

    we have added the https://bi.temp.com in trusted sites. is there any other configuration to be performed on browser to allow kerberos?

     

  • You need to put the URl in IE's Local Intranet sites list. Otherwise I'm assuming you have

     

    1. Created an AD account, added the SPN (http/bi.temp.com) and exported a keytab.

       

    2. Imported that keytab to an APM Kerberos AAA.

       

    3. Configured the access policy with a 401 agent with negotiate enabled and a negotiate branch that flows into a Kerberos Auth agent.

       

    The best way to troubleshoot client side Kerberos issues is to:

     

    1. Enable debug logging for APM. Look for anything that says "kerberos" or "gssapi".

       

    2. Capture the client's requests to the KDC with WireShark, and HTTP requests to APM. You should the entire process here, what (and if) the client requests a ticket for, and what it sends to the VIP.

       

  • Hi Kevin,

     

    Thanks for your reply. I checked with network team and they informed they are not using APM .

     

    They are using f5 only for load balancing

     

    Let us know if something changes has to be performed

     

    Thanks

     

  • Hi,

     

    Thanks for reply.

     

    The kerberos based spn is completed for sapBO which runs on the tomcat server.

     

    tomcat1 url tomcat2 url

     

    f5 url https://bi.temp.com

     

    currently when i understand from the network team f5 just redirects the URL and authentication happens on tomcat url.

     

    Issue is SSO working perfectly for tomcat1 url and tomcat2 url. through load balancer SSO doesnt work and it asks for username and password.

     

    network team informed no configuration to be done on f5. They informed they are not using APM.

     

    Please let us know if specific activities to be performed on f5 ? if yes please provide link

     

    • imvinod_245290's avatar
      imvinod_245290
      Icon for Nimbostratus rankNimbostratus
      Hi Balaaj, did you find success in setting up the F5 with Kerberos. We are also trying to setup the same i.e. use F5 only for load balancing and pass the kerberos traffic through the F5.
  • If you're not using APM, what are you referring to when you say "SSO"?

     

    Since you're not using APM to handle the Kerberos traffic, then you're simply passing the Kerberos traffic through the VIP. The issue I think you're seeing is that the client is attempting (and most likely failing) to request a ticket for the external URL (bi.temp.com). A browser will derive the servicePrincipalName (SPN) for a Kerberos request from the FQDN in the requested URL. If the backend server's SPN is http/biserver, then the client is simply passing a ticket for the wrong SPN (or no ticket at all if http/bi.temp.com doesn't exist in the realm). In order for pass-through Kerberos to work, the external FQDN must match the internal (target) SPN. The easiest way to achieve that may be to add a new SPN to the account for http/bi.temp.com.