For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

spalande's avatar
spalande
Icon for Nacreous rankNacreous
Jun 30, 2015

Kerberos Question

How kerberos communication happen for server side WEBSSO. How TGT is created and passed to the pool member  
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jun 30, 2015

Technically speaking, APM Kerberos SSO (server side) employs Kerberos Protocol Transition (KPT - S4U2Self) and Kerberos Constrained Delegation (KCD - S4U2Proxy). APM uses an account in the realm as a delegation anchor. A Kerberos AS_REQ is generated for this delegation account to get a TGT. The first TGS_REQ is the S4U2Self to get a delegated TGT for the user, and the second TGS_REQ is the S4U2Proxy KCD request for a ticket to the target service.

 

The SPN of the target pool member can be derived in one of three primary ways:

 

  1. By default APM Kerberos SSO will perform a reverse DNS lookup into the realm with the chosen pool member's IP address. The returned name is then crafted into a SPN value (assuming the local system "owns" the web service)

     

  2. A "SPN pattern" can be applied to the APM Kerberos SSO profile to circumvent the above lookup for a statically defined string value (ex. HTTP/target-service.domain.com@DOMAIN.COM)

     

  3. You can use a wildcard in the SPN pattern field to either derive the hostname from the incoming host name - %h, or from a local Hosts entry based on the pool member IP address - %s (ex. HTTP/%s@DOMAIN.COM)