Forum Discussion

Nimbostratus

Sep 23, 2016

Kerberos multi-hop supported in APM

We currently have a virtual server set up with APM and we are using it to extract UPN from client certificate and pass along a Kerberos ticket to the back-end server for authentication. This part is...

application delivery

BIG-IP Access Policy Manager (APM)

kerberos

Kai_Wilke

MVP

Sep 23, 2016

Hi John,

You can mix a classic Kerberos Delegation (as defined in RFC1510) on the first hop and then use Kerberos Constrained Delegation on the second hop, to delegate the user credentials to a third hop.

But you can not mix Kerberos Contrained Delegation on the first hop with classic Kerberos Delegation on the second hop. It will simply fail, since the second hop does not get a forwardable TGT from the first hop to perform a classic Kerberos Delegation to the the third hop.

Since the F5 performs a Kerberos Constrained Delegation with Protocol Transition on the first hop, you have to make sure that every subsequent hop uses the same mode. As long each hop uses this mode, you can delegate the credentials to as many chained hops as you like. There is no limitation...

Note: If you experience any authentication problems between two hops in your chain, then just check the applications and the Kerberos settings of the involved hops, since Protocol Transition completely detaches the incomming and outgoing authentication on each individual hop without having any relationship to previous hops...

Cheers, Kai