Forum Discussion
balaaj_217997
Nimbostratus
Nimbostratusf5 and Kerberos SSO sap BI
Hi We are using F5 load balancer and we enable kerberos sso . Its works like a charm with direct link . However its not working with f5 Dns name bi.temp.com Full url is https://bi.temp.com Service user. Sapuser Direct url. Domain. Xyz.com Spn Setspn -a http/biserver sapuser Setspn -a http/biserver.xyz.com sapuser Setspn -a http/biserver2 sapuser Setspn -a http/biserver2.xyz.com sapuser Setspn -a http/bi.temp.com
Its prompting for username and password
Any inputs
- Kevin_Stewart
Employee
So which SPN/FQDN is working and which is not? Have you configured the browser to allow Kerberos auth to these other URLs?
balaaj_217997spn for f5 ie is http/bi.temp.com is not working.
we have added the https://bi.temp.com in trusted sites. is there any other configuration to be performed on browser to allow kerberos?
- Kevin_Stewart
You need to put the URl in IE's Local Intranet sites list. Otherwise I'm assuming you have
-
Created an AD account, added the SPN (http/bi.temp.com) and exported a keytab.
-
Imported that keytab to an APM Kerberos AAA.
-
Configured the access policy with a 401 agent with negotiate enabled and a negotiate branch that flows into a Kerberos Auth agent.
The best way to troubleshoot client side Kerberos issues is to:
-
Enable debug logging for APM. Look for anything that says "kerberos" or "gssapi".
-
Capture the client's requests to the KDC with WireShark, and HTTP requests to APM. You should the entire process here, what (and if) the client requests a ticket for, and what it sends to the VIP.
-
- balaaj_217997
Hi Kevin,
Thanks for your reply. I checked with network team and they informed they are not using APM .
They are using f5 only for load balancing
Let us know if something changes has to be performed
Thanks
Stanislas_Piro2Cumulonimbus
Hi,
if you want only to enable Kerberos on servers and load balance it with F5, you need to:
- create an AD account with SPN HTTP/bi.temp.com
- set IIS to start with this account
- define a DNS PTR of the Virtual IP with value : bi.temp.com
read the following Microsoft page :
https://technet.microsoft.com/en-us/library/dd632778.aspx
- balaaj_217997
Hi,
Thanks for reply.
The kerberos based spn is completed for sapBO which runs on the tomcat server.
tomcat1 url tomcat2 url
f5 url https://bi.temp.com
currently when i understand from the network team f5 just redirects the URL and authentication happens on tomcat url.
Issue is SSO working perfectly for tomcat1 url and tomcat2 url. through load balancer SSO doesnt work and it asks for username and password.
network team informed no configuration to be done on f5. They informed they are not using APM.
Please let us know if specific activities to be performed on f5 ? if yes please provide link
imvinod_245290Hi Balaaj, did you find success in setting up the F5 with Kerberos. We are also trying to setup the same i.e. use F5 only for load balancing and pass the kerberos traffic through the F5.
- Kevin_Stewart
If you're not using APM, what are you referring to when you say "SSO"?
Since you're not using APM to handle the Kerberos traffic, then you're simply passing the Kerberos traffic through the VIP. The issue I think you're seeing is that the client is attempting (and most likely failing) to request a ticket for the external URL (bi.temp.com). A browser will derive the servicePrincipalName (SPN) for a Kerberos request from the FQDN in the requested URL. If the backend server's SPN is http/biserver, then the client is simply passing a ticket for the wrong SPN (or no ticket at all if http/bi.temp.com doesn't exist in the realm). In order for pass-through Kerberos to work, the external FQDN must match the internal (target) SPN. The easiest way to achieve that may be to add a new SPN to the account for http/bi.temp.com.
