Kerberos Authenication cross multiple domains

Question

Hi there,&nbsp;
I'm having a hard time getting kerberos to work a cross multiple domains (two way trust)
Version of APM 11.5&nbsp;
Within a domain Kerberos Authentication works fine but when I attempt to access resource from another domain it's failing&nbsp;
My setup is something like this&nbsp;
trusteddomain.local
untrusteddomain.local&nbsp;
SPN and all kerberos setting were created in unstrusted domain&nbsp;
I did the following steps to implement it (maybe it will help somebody else as well)&nbsp;
On the untrusted domain&nbsp;
setspn -U -A HTTP/internal.something.org f5kerberos 
ktpass -princ HTTP/internal.something.org@UNTRUSTEDDOMAIN.LOCAL -mapuser f5kerberos@UNTRUSTEDDOMAIN.LOCAL -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass supersecret -out C:\f5kerberos&nbsp;
On F5&nbsp;
AAA Server&nbsp;
Auth Realm: UNTRUSTEDDOMAIN.LOCAL
Service name: HTTP
Principal:  HTTP/internal.something.org@UNTRUSTEDDOMAIN.LOCAL&nbsp;
SSO Config&nbsp;
Kerberos Realm: UNTRUSTEDDOMAIN.LOCAL
Account name: f5kerberos
Account password supersecret&nbsp;
Access policy&nbsp;
HTTP 401 response&nbsp;
basic+negotiate&nbsp;
Basic Auth Realm: MHPSHP.LOCAL&nbsp;
On negotiate - kerberos - sso - allow&nbsp;
Evertyhing works fine from untrusteddomain but doesn't work from trusteddomain.&nbsp;
I tried implementing NTLM Auth and it was failing as well. My main point is to get seamless authentication for the user and the use form based sso to login to some other web apps&nbsp;

matt_dierick · Answer

Hi, I don't know if my doc can help you.
I did a lab with 2 forests, 2 domains. One domain for users and one domain for ressources.&nbsp;
https://app.box.com/s/4r4jbaki06m3vnyhv5nx&nbsp;
Hope this help.&nbsp;

drugovm_149811 · Answer

Thank you. I went over document and I see that in the access policy you are not calling kerberos authentication for seamless login. You are using form for user credentials that then passing over to KDC to get the ticket and then passing over to sso&nbsp;
This kind of setup works in my setup but my main point is to implement seamless login for the end users and be able to manipulate user credentials&nbsp;

davo_t_20783 · Answer

Looks like you have found limitation for constrained delegation in cross forest trust:&nbsp;
See Microsoft DS team answer in this post: &nbsp;
http://social.technet.microsoft.com/Forums/en-US/f47b10c6-f546-49b4-9bff-4ef534297675/crossforest-kerberos-authentication-delegation-of-client-credentials?forum=winserverDS&nbsp;

drugovm_149811 · Answer

I'm scratching Kerberos all together. Sharepoint is already setup to accept ntlm from second domain&nbsp;

Forum Discussion

Kerberos Authenication cross multiple domains

4 Replies

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Does F5 Rules for AWS WAF - Common Vulnerabilities & Exposures Mitigate Log4J vulnerabilities

Credentialed Scanning - F5OS - Rseries

WebSocket connection to 'wss://...' failed: Invalid frame header

f5 asm reporting aggregate

rSeries 4600 additional Core Enable

Related Content

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

Double Trouble: Multiple Controllers Handling the Same Kubernetes LoadBalancer Service

Kerberos is Easy - Part 2

Kerberos Is Easy - Part 1

APM Cookbook: Single Sign On (SSO) using Kerberos

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS