Forum Discussion
NimbostratusKerberos client AAA
I need to set it up clientside Kerberos AAA for one of the third party app. Doesn't need serverside SSO.as app has its own forms based managed by vendor
SO the requirement is when internal user hit https://abc.domain.com from authenticated corporate device it should be SSO AND check for one group membership and allow access. So what should my AD request to AD team should look like and what my policy should be?
3 Replies
spalandeNacreous
My requirement is to have Kerberos AAA for 2 diff sites. so do we need to create 2 different keytab files (with SPN HTTP/sitea and HTTP/siteb) and also do we need to have 2 different service account?
Andy_McGrathCumulonimbus
First check out the following article APM Cookbook: Single Sign On (SSO) using Kerberos which is a great guide to getting kerberos working with APM and one I have used several times.
As you will see most of the work to get this working is actually on the Windows server side and not with the F5.
With regards to the two different sites it depends on your AD setup, if you have two different AD domains each running Kerberos then you will likely need to do the setup twice with two service accounts.
youssef1Hi Spalan,
I do not think that's the way to go (in terms of configuration optimization and evolution).
I advise you to follow my guidance: you can use saml by creating a unique IDP that will allow you to federate all your authentications. So you will need to create only one keytab and in the futur if you have an additional application, you will just bind this application to your IDP.
So first create your IDP: - example: sso.mydomaing.com (create a Arecored for this VIP). - ...
https://clouddocs.f5.com/training/community/iam/html/class1/kerberos.html
Please keep me in touch if you need help fore create IDP and bind to sp. But in all case before go ahead with SAML validate that you deploy correctly kerberos auth in your VS.
Regards
