For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 02, 2015

Kerberos Protocol Transition is essentially a form of impersonation. You're providing a mechanism (a Kerberos protocol extension) that allows one service to request and use a user's ticket granting ticket (TGT) on that user's behalf. KPT is generally used when a client cannot communicate with a KDC directly, and the relevant references, RFC4120 and MS-SFU, don't explicitly define how that client should actually authenticate. So to that end, there's an inherent security risk if proper client side authentication isn't performed correctly.

 

As far as enabling the "Use Any Authentication Protocol" setting, that enables the Kerberos Protocol Transition extension to work for the designated delegation account. It is required for that function and is required for APM Kerberos SSO to work.

 

Again, the important thing here is that you perform appropriate client side authentication. Can you elaborate on what your security team is questioning?