Forum Discussion
Kerberos SSO to IIS Web Application
We are trying to implement a clientless solution in which a user which is part of the domain, and accessing a web application from a machine in the same domain, would automatically be authenticated without user intervention.
I know there are lots of articles out there and I have read some tremendous write-ups on how this all works from Kevin Stewart and we believe we have most of the framework in place.
What is happening, it seems, is that a 401 authentication dialog is appearing to the user instead of the client requesting a kerberos ticket from AD and presenting it to the F5 APM to decrypt and process with the installed keytab file.
Specifically this is what I have for configuration:
Web site:
This hostname is represented in DNS and can be resolved both forward/reverse.
Client side accounts:
bill@synacktek.local - my AD domain account logged into a domain machine for testing. HTTP/sso-test.synacktek.local - account used for keytab file creation, imported to the F5, do I need to set kerberos delegation for this?
SSO Side account: HOST/kerberos-server.synacktek.local - SSO account for kerberos. Performed setspn and assigned delegation in AD for this to access web service WINDNS1 (this is where web server is located).
F5 SSO configuration which uses this account:
APM Policy:
Has 401 configured for negotiate, with branch feeding kerberos authentication (client side?) After this I have a couple of message boxes, the kerberos OK feeds a variable assign to help populate the sso side of the proxy configuation.
When connecting to the web URL I always get prompted with the 401 authentication.
I am certainly missing something here but do not know what it is.
Appreciate any help! Thx Bill
- Bill_Kehn_27007Nimbostratus
Output from client:
APM Log (there is not much here although I have everything set to debug):
which browsers have you tried? i believe you need to do something there also, in IE set it as trusted website for example.
- Stephan_Mierau_Historic F5 Account
I would suggest that you do a packet capture and look if the client is fetching a kerberos token and presents it to the APM
- Bill_Kehn_27007Nimbostratus
I am using IE as the browser, I do have the site added as intranet and enable integrated windows authentication is checked.
I do not see any kerberos traffic in my pcap but I do see what appears to be NTLM.
- Bill_Kehn_27007Nimbostratus
Ok made a bunch of progress this evening and I have the aaa "client" side working. I verified that I am getting a kerberos ticket back from AD and then presenting it to APM where it looks like it is decrypting it no problem (I have a green light session now).
Moving on to the SSO side I am having an issue here still that I cannot figure out. This is what I see in the log now:
I will doublecheck my sso config to be sure and might see if I can get a packet capture of the server side process.
-Bill
- Bill_Kehn_27007Nimbostratus
Does the user logon name in AD need to match the reverse DNS of the target IIS pool member?
In other words I have this for the logon name:
My forward and reverse DNS of the pool member IIS server is this:
192.168.210.55 is my pool member of the virtual server.
And my SSO configuration on the F5 reflects this user logon account:
The APM log for sso always shows this:
I do not know why it keeps saying matching credential not found here.
Oh, and if I go against the URL of the internal server directly from a domain machine it does automatically log me on and connect me so I think the IIS side is ok.
-Bill
- Stanislas_Piro2Cumulonimbus
Hi,
when working with kerberos SSO, I use following powershell commands:
Create kerberos SSO account
Add ServicePrincipalName attribute (same as when using setspn command)New-ADUser -Name "APM Delegation Account" -UserPrincipalName svc_f5_krb@demo.local -SamAccountName "svc_f5_krb" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)
Add delegation to application SPN http/app1.demo.localSet-AdUser -Identity svc_f5_krb -ServicePrincipalNames @{Add="host/svc_f5_krb.demo.local"}
Configure Kerberos delegation parametersGet-AdUser -Identity svc_f5_krb | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="http/app1.demo.local"}
Set-ADAccountControl -Identity svc_f5_krb -TrustedForDelegation $false Set-ADAccountControl -Identity svc_f5_krb -TrustedToAuthForDelegation $true
Then, in APM, I create Kerberos SSO with following tmsh command:
Kerberos SSO for Machine account kerberos SSO
Kerberos SSO for Application Pool account kerberos SSOcreate apm sso kerberos SSO_KRB_machine { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.245.250 realm DEMO.LOCAL user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }
create apm sso kerberos SSO_KRB_AppPool { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.245.250 realm DEMO.LOCAL spn-pattern HTTP/%h user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }
I these commands, I set 2 variables:
session.krbsso.last.domain =
Session variable session.ad.last.actualdomain
session.krbsso.last.username =
AD Attribute sAMAccountName
Last week I provided powershell commands to a customer to create an AD for training. All trainee configured the LAB successfully!
The user account provided may work in AD forest with single domain. In AD forest with multiple domains, the account name format must be host/svc_f5_krb.demo.local
- CypherCirrus
Can i ask for some clarification?
In the commands below, there is no command for "setspn _ -A HTTP/..." nor the creation of a keytab file. Was that still the case?
Can you use the same config and apply it to different virtual servers (to do APM Kerberos) to different URL's?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com