Forum Discussion

Nimbostratus

Oct 01, 2014

Kerberos SSO across External trust

Hello, folks ! We have two domains: contoso.com and example.com they are in two-way external trust. Our web-site in contoso.com and we are trying to provide kerberos SSO for users in example.co...

application delivery

BIG-IP Access Policy Manager (APM)

Employee

Oct 01, 2014

There are a few things you need to make cross-domain Kerberos work here:

The account name should be in SPN format. A sAMAccountName becomes ambiguous in cross-domain Kerberos. In the AD delegation account, change the user logon name (userPrincipalName) to the same value as the servicePrincipalName, and then apply this same SPN to the Account Name field in the Kerberos SSO. This SPN should then live in three places.
You must programmatically assert the session.logon.last.domain value for users in the external domain. So for example, if the user is from example.com, you must assign session.logon.last.domain = expr { "EXAMPLE.COM" }.
APM must be able to both resolve and communicate with the remote KDC. Make sure that the F5 can resolve this domain by name and return the IPs of the KDCs, and that these IPs are accessible over TCP and UDP port 88.