Kerberos SSO to IIS Web Application

Hi,

when working with kerberos SSO, I use following powershell commands:

Create kerberos SSO account

New-ADUser -Name "APM Delegation Account" -UserPrincipalName svc_f5_krb@demo.local -SamAccountName "svc_f5_krb" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)

Add ServicePrincipalName attribute (same as when using setspn command)

Set-AdUser -Identity svc_f5_krb -ServicePrincipalNames @{Add="host/svc_f5_krb.demo.local"} 

Add delegation to application SPN http/app1.demo.local

Get-AdUser -Identity svc_f5_krb | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="http/app1.demo.local"} 

Configure Kerberos delegation parameters

Set-ADAccountControl -Identity svc_f5_krb -TrustedForDelegation $false
Set-ADAccountControl -Identity svc_f5_krb -TrustedToAuthForDelegation $true 

Then, in APM, I create Kerberos SSO with following tmsh command:

Kerberos SSO for Machine account kerberos SSO

create apm sso kerberos SSO_KRB_machine { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.245.250 realm DEMO.LOCAL user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }

Kerberos SSO for Application Pool account kerberos SSO

create apm sso kerberos SSO_KRB_AppPool { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.245.250 realm DEMO.LOCAL spn-pattern HTTP/%h user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username } 

I these commands, I set 2 variables:

session.krbsso.last.domain =

Session variable session.ad.last.actualdomain

session.krbsso.last.username =

AD Attribute sAMAccountName

Last week I provided powershell commands to a customer to create an AD for training. All trainee configured the LAB successfully!

The user account provided may work in AD forest with single domain. In AD forest with multiple domains, the account name format must be host/svc_f5_krb.demo.local