Forum Discussion
NimbostratusKerberos authentication without any direct access to kerberos server?
Hi,
I have a question regarding configuration of Kerberos AAA.
In the following link, it would seem like there is no direct traffic going from BigIP to the kerberos server: Kerberos authentication
Given that the client can both talk to the kerberos server, and the bigip virtual service / APM. Can we have no connection between the kerberos server and DMZ bigip, and still be able to authenticate users?
Also, is it possible to forward this ticket to load balanced services / webtop urls for seamless authentication?
1 Reply
- Kevin_Stewart
Employee
it would seem like there is no direct traffic going from BigIP to the kerberos server
That is absolutely correct. The purpose of creating the domain user account and running the ktpass command is to derive a keytab file. The keytab will contain an encryption key that is "assigned" to a specific SPN value. When you create the Kerberos AAA, you assign that keytab file to it, such that when a client requests a ticket for the APM-based service (by its recognized SPN), the keytab should be able to decrypt that ticket. The client side Kerberos configuration and AAA never has to talk to the KDC directly. So long as the client passes a Kerberos ticket for the right SPN, the Kerberos Auth agent will validate that based on its ability to decrypt. A successful client side Kerberos authentication produces two things (among other things):
-
A success flag that allows processing to follow the Successful branch:
session.kerberos.last.authresult = 1 -
The session.logon.last.logonname session variable
user@domain.com
Also, is it possible to forward this ticket to load balanced services / webtop urls for seamless authentication?
Technically possible, but problematic. This would assume that the services behind the APM VIP were also tied to the same SPN (and encryption key). In lieu of that, you'd generally want to create a Kerberos server side "SSO" configuration for these backend services.
-
