For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jspiglerj2rsolves's avatar
jspiglerj2rsolves
Icon for Nimbostratus rankNimbostratus
May 06, 2016

KCD SmartCard Two Domains Same Forest Users in both

Afternoon all,

 

Have a KCD APM question.

 

I have successfully been able to setup KCD in a singe domain instance. Both the resource the client is accessing, the F5 KCD account and the clients account is in the same domain. Lets call it Domain A in Forest A. Now, I need to allow a client in Domain B, which is a child domain of Domain A access to the same resource in Domain A, again all within Forest A. The environment is at a 2008 R2 level so credential delegation does not cross domain boundaries. My KCD service account for F5 is in Domain A. Another thing, both clients in Domain A and Domain B share the same UPN suffix on their Smart Cards. Lets say @contoso.com. This is essentially the enterprise wide standard for authentication. NO USERNAME/PASSWORD. This suffix does not exist as a domain space for either Domain A or Domain B. Lets say Domain A's domain space is SOMETHING.COM and Domain B is EXT.SOMETHING.COM.

 

I have setup my VPE Policy to use an Active Directory Trusted Domains object which works great to query and verify the account exists in either domain. The problem I am running into is how to setup SSO so I can get a S4U Proxy TGT for accounts in either domain. Again, the resource and F5 KCD service account exist in Domain A SOMETHING.COM. I have tried to setup Multiple Domain SSO for my Policy in APM but to no avail.

 

Any and all help would be great!

 

Thanks

 

application delivery
BIG-IP Access Policy Manager (APM)

3 Replies

  • jspiglerj2rsolves's avatar
    jspiglerj2rsolves
    Icon for Nimbostratus rankNimbostratus
    May 06, 2016
    Also for all for all intents and purposes, the service we are accessing is app1.something.com.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 07, 2016

    You're actually talking about a Kerberos "extension" referred to as "Canonical Referral". It's like a CNAME process for Kerberos. In any case, APM Kerberos doesn't follow these referrals today, so you have to tell it exactly which domain the user belongs to. This is complicated by the fact that your smartcard UPN doesn't match any single domain. So basically what you need to do is this:

     

    1. Insert an LDAP Query in the VPE that queries the domain(s) or GC. You need to extract the user's real domain and their sAMAccountName.

       

    2. Use the sAMAccountName and user's real domain as the Kerberos SSO input username and domain session values.

       

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 09, 2016

    This doesn't have anything to do with delegation. You simply cannot "chase" a referral to the correct domain, assuming you didn't already know what it was. If you're specifying the correct domain in the SSO then you don't have to chase a referral. Coincidentally, if the UPN domain doesn't match the real domain name, then it also involves referrals, which is why you'd use the sAMAccountName instead.