Kerberos delegation on 11.5.3

A couple of things:

1. The Kerberos delegation function that you're referring to is an artifact of the old ACA (advanced client authentication) module that has been deprecated. You may have it in 11.5 because you licensed it with an older version and upgraded, but that product will cease to exist very soon.

    

   "By Kerberos delegation I mean end-to-end kerberos authentication from the end-user browser down to the application server through the BigIp"

    

2. That isn't delegation, it's just pass-through. Delegation is where a client would pass it's forwarding ticket to another service that then requests Kerberos tickets on its behalf. That's what APM would give you and what the old ACA Kerberos delegation would have given you.

    

For end-to-end (non-delegated) Kerberos to work through the BIG-IP, you have to consider that the client is going to be fetching the ticket to the (backend) services on its own. A client browser will use the FQDN in the URL as the servicePrincipalName to request, so if the VIP's URL is www.example.com and the backend server's SPN is internal.domain.com, then the browser is going to attempt (and probably fail) to get a ticket for www.example.com. Long story short, in order to do Kerberos pass-through, the external VIP FQDN must match the correct internal SPN.