Forum Discussion
Gerald_Meese
Cirrus
CirrusKerberos Constrained Delegation to Linux backend
Hello,
We are struggling with APM to perform Kerberos SSO toward an SAP system running on Linux, using this DG as ref : https://www.f5.com/pdf/deployment-guides/kerberos-constrained-delegation-dg.pdf.
We find this in the APM log : 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/sapxxx.domain.com@DOMAIN.COM - Requesting ticket can't get forwardable tickets (-1765328163)
As far as we understand the message this could be due to the fact that we are currently using "Trust this user for delegation to any service (Kerberos only)" in the delegation properties of the service account, when we should use "Trust this user for delegation to specified services only" > "Use any authentication protocol". But this doesn't work out of the box as the Linux backend is obviously not available in the AD to be added there. We tried to add a computer object for it but that doesn't help.
So our question is : how can we configure the delegation to the Linux SAP backend ?
Thanks in advance for your help :-)
Stanislas_Piro2Cumulonimbus
Hi,
I don't know how to configure it on SAP backend, but here is the procedure to configure an apache with Kerberos auth working with APM (Powershell):
Apache Kerberos configuration (Powershell)Create the Apache kerberos account
New-ADUser -Name "APACHE2 Kerberos Authentication Account" -UserPrincipalName svc_ap2_krb_auth@demo.local -SamAccountName "svc_ap2_krb_auth" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)Create a Service Principal Name attribute for this account
Set-AdUser -Identity svc_ap2_krb_auth -ServicePrincipalNames @{Add="host/srv-web.demo.local"}Create the kerberos key used to decrypt kerberos tokens
Then the delegation account is created with these commands (Powershell):ktpass -princ HTTP/srv-web.demo.local@DEMO.LOCAL -mapuser svc_ap2_krb_auth@demo.local -crypto all -ptype KRB5_NT_PRINCIPAL -pass P@ssw0rd -out c:\svc_ap2_krb_auth.keytabCreate the F5 delegation account
New-ADUser -Name "APM Delegation Account" -UserPrincipalName svc_f5_krb@demo.local -SamAccountName "svc_f5_krb" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)Create a Service Principal Name attribute for this account (mandatory to request kerberos ticket for another user)
Set-AdUser -Identity svc_f5_krb -ServicePrincipalNames @{Add="host/svc_f5_krb.demo.local"}Assign the delegation right to the site app1.demo.local
Get-AdUser -Identity svc_f5_krb | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="http/srv-web.demo.local"}Change delegation right to mode : Trust this user for delegation to specific service only / Use any authentication Protocol
In F5 APM, create the Kerberos SSO Profile (tmsh)Set-ADAccountControl -Identity svc_f5_krb -TrustedForDelegation $false Set-ADAccountControl -Identity svc_f5_krb -TrustedToAuthForDelegation $trueWeb App pool kerberos SSO
create apm sso kerberos SSO_KRB_AppPool { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.245.250 realm DEMO.LOCAL spn-pattern HTTP/%h user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }
kunjanNimbostratus
Need to join domain to do kerberos SSO.