Kerberos Constrained Delegation to Linux backend

Cumulonimbus

Mar 30, 2017

Hi,

I don't know how to configure it on SAP backend, but here is the procedure to configure an apache with Kerberos auth working with APM (Powershell):

Apache Kerberos configuration (Powershell)

Create the Apache kerberos account

New-ADUser -Name "APACHE2 Kerberos Authentication Account" -UserPrincipalName svc_ap2_krb_auth@demo.local -SamAccountName "svc_ap2_krb_auth" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)

Create a Service Principal Name attribute for this account

Set-AdUser -Identity svc_ap2_krb_auth -ServicePrincipalNames @{Add="host/srv-web.demo.local"}

Create the kerberos key used to decrypt kerberos tokens

ktpass -princ HTTP/srv-web.demo.local@DEMO.LOCAL -mapuser svc_ap2_krb_auth@demo.local -crypto all -ptype KRB5_NT_PRINCIPAL -pass P@ssw0rd -out c:\svc_ap2_krb_auth.keytab

Then the delegation account is created with these commands (Powershell):

Create the F5 delegation account

New-ADUser -Name "APM Delegation Account" -UserPrincipalName svc_f5_krb@demo.local -SamAccountName "svc_f5_krb" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)

Create a Service Principal Name attribute for this account (mandatory to request kerberos ticket for another user)

Set-AdUser -Identity svc_f5_krb -ServicePrincipalNames @{Add="host/svc_f5_krb.demo.local"}

Assign the delegation right to the site app1.demo.local

Get-AdUser -Identity svc_f5_krb | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="http/srv-web.demo.local"}

Change delegation right to mode : Trust this user for delegation to specific service only / Use any authentication Protocol

Set-ADAccountControl -Identity svc_f5_krb -TrustedForDelegation $false
Set-ADAccountControl -Identity svc_f5_krb -TrustedToAuthForDelegation $true

In F5 APM, create the Kerberos SSO Profile (tmsh)

Web App pool kerberos SSO

create apm sso kerberos SSO_KRB_AppPool { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.245.250 realm DEMO.LOCAL spn-pattern HTTP/%h user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }

Forum Discussion

Kerberos Constrained Delegation to Linux backend

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

Configuring Smart Card Authentication and Kerberos Constrained Delegation in F5 Access Policy Manager (APM)

SSL Orchestrator Advanced Use Cases: Client Certificate Constrained Delegation (C3D) Support

Single-Sign-On mit Kerberos Constrained Delegation

SSO par Kerberos Constrained Delegation sur APM - Best Practices

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS