For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jun 30, 2015

Ah, good questions.

 

So first of all, you need at least TWO accounts in the domain/realm - the "delegator" (that which you delegate from) and the "delegatee" (that which is delegated to). The first is nothing more than a user account given a servicePrincipalName (SPN) attribute, and the second is the target, the web server. Any form of Kerberos delegation implies that one service is delegating to another service on behalf of another party (usually the user). For instance, simple forwarding delegation allows a user to authenticate to a Kerberos-based SQL server behind a Kerberos-based SharePoint server without having direct access to or even knowledge of the SQL server. The user authenticates to SharePoint and then gives SharePoint the authority to request Kerberos tickets to other services (with constrained limits). In this case the user requests two TGTS - the TGT it uses to request a ticket for services directly (the SharePoint server), and a forwarding TGT - the TGT it gives to SharePoint to allow it to request tickets on the user's behalf. In the case of APM, as a full proxy it is always the case that the client cannot send a forwarding TGT through APM, so you need another kind of Kerberos delegation called service for user to self (S4U2Self) or also called Kerberos Protocol Transition. This allows the service providing the delegation to not only delegate to other services, but also authenticate and fetch an original TGT on behalf of the real user (who cannot otherwise perform this function). As it turns out, the RFCs mandate that KPT always involves KCD (constrained delegation), and for good reason, so that's why APM does KPT and KCD (S4U2Self and S4U2Proxy). And since APM isn't technically a member of the domain, it needs this delegation account as its "anchor".

 

On the second question regarding the "Use any authentication method" option, that is Microsoft-speak for Kerberos Protocol Transition. It's always befuddled me why they didn't just say that or at least mention it in the help, but that's what it is and what you need for the delegation account to be able to perform KPT and KCD.