help wiht APM Kerberos to IIS Server

Hi,

I want to set up F5 APM with kerberos - so user's can connect to multiple destination IIS servers in the back-end that require (Negotiate:)Kerberos Authentication. testing for 1 virtual server, but needed for multiple hostnames & virtual server.

I am using the following approach for a seamless logon (no log in pop ups). Computers are member off the domain. so are the IIS Servers.

Kerberos Authentication with End-User Logons https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-1-0/9.html.
- This one i fond interesting and seems to resembe the explenation in https://www.youtube.com/watch?v=NDFJ7m8iaPA.
- Working with the HTTP 401 Response resembles how IIS handles the Negotiate.
- configuration https://www.youtube.com/watch?v=CuROO2Qpllg.

As i am no kerberos specialist, so working with these SPN is difficult.

DNS is properly set up with A & PTR records.

the virtual server has a DNS Name f5internalqa201.domain.local

This has a cname for the web application: bi-reports.domain.local

I have a user usr_f5intqa_kerb that can be used to create a keytab file.

I'm running version 16.1.4.2

What SPN & ktpass config is needed?

setspn ..

ktpass ..

where do i use the 'hostname'? where do i use the cname?

Thanks!!

application delivery

Forum Discussion

help wiht APM Kerberos to IIS Server

Recent Discussions

AFM deny log level

History Current Connections from Local pool Traffic.

Persistent hash iRule

F5 DNS Generic Host

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

Related Content

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

Kerberos is Easy - Part 2

Kerberos Is Easy - Part 1

Transparent Kerberos Authentication and APM fallback authentication

Forgotten Boa, Aurora botnet, Kerberos & Twitter - Nov 19th-25th - F5 SIRT - This Week in Security

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS