Forum Discussion

sandipkakade's avatar
sandipkakade
Icon for Nimbostratus rankNimbostratus
Sep 18, 2024

kerberos authentication on the F5 APM not working

Hi Team,   Need your help to configure F5 APM policy to work for Kerberos authentication. Authentication flow like this : First SAML authentication will happen with AZ Then it will go for MFA  ...
application delivery
sandipkakade's avatar
sandipkakade
Icon for Nimbostratus rankNimbostratus

SAML and AD query is working fine ..again last end we are getting prompt for login in the application ..that will happen automatically with kerbose

Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee
Sep 24, 2024

Good to hear it's mostly working fine. Because you're using a federated login type, APM does not obtain the user's password in the flow. This means that you need to use federated SSO.

To avoid login prompts, you'll have to choose between:

1- Make sure all clients are domain-joined and domain-logged-in and have your AD Web sites in "Trusted Sites" so that the client's browsers will automatically present kerberos tickets to servers when challenged. This type of setup does not require any APM config at all because it's 100% handled by Windows. I'm fairly sure Mac clients won't work this way.

2- Use Kerberos S4U. In this mode, APM will automatically negotiate federated logins for each logged-in user based on the service account. This is a VERY common usage of APM.

 

How to set up S4U / Constrained Delegation:

https://my.f5.com/manage/s/article/K43063049

 

Troubleshooting S4U / Constrained Delegation:

https://my.f5.com/manage/s/article/K59350434