For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jban_198207's avatar
jban_198207
Icon for Cirrus rankCirrus
Oct 26, 2017
Solved

Kerberos SSO resource and account not in the same domain

Hi,   We create F5 Service Account in Domain1 as -Host/ -Users are in: domain1.local Web resource is in domain2.local with SPN let say: HTTP/webresource.domain2.local   When I test with kinit a...
application delivery
BIG-IP Access Policy Manager (APM)
  • jban_198207's avatar
    jban_198207
    Nov 04, 2017

    Changed -> Dns_lookup_kdc = true Analaysing packet capture answer was found.

     

    USERDOMAIN.INTERNAL was child domain of INTERNAL and INTERNAL KCD was not allowed on firewall. after allowing INTERNAL KCD, stuff started to work.

     

Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Oct 27, 2017

Hi jban,

 

When using the classic Kerberos Constrained Delegation mode (>=Win2003) you have to create the service account which performs the Kerberos Constrained Delegation in the same AD domain as the service account of the ressource service. But the user could be stored in any trusted domain.

 

When using the Resource-based Kerberos Constrained Delegation mode (>=Win2012) the service account which performs the Kerberos Constrained Delegation, the service account of the ressource service and the user account can be all stored in different domains.

 

https://blog.kloud.com.au/2013/07/11/kerberos-constrained-delegation/

 

Cheers, Kai