Forum Discussion
Stanislas_Piro2
Nov 14, 2017Cumulonimbus
Hi,
when working with kerberos SSO, I use following powershell commands:
Create kerberos SSO accountNew-ADUser -Name "APM Delegation Account" -UserPrincipalName svc_f5_krb@demo.local -SamAccountName "svc_f5_krb" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)
Add ServicePrincipalName attribute (same as when using setspn command)
Set-AdUser -Identity svc_f5_krb -ServicePrincipalNames @{Add="host/svc_f5_krb.demo.local"}
Add delegation to application SPN http/app1.demo.local
Get-AdUser -Identity svc_f5_krb | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="http/app1.demo.local"}
Configure Kerberos delegation parameters
Set-ADAccountControl -Identity svc_f5_krb -TrustedForDelegation $false
Set-ADAccountControl -Identity svc_f5_krb -TrustedToAuthForDelegation $true
Then, in APM, I create Kerberos SSO with following tmsh command:
Kerberos SSO for Machine account kerberos SSOcreate apm sso kerberos SSO_KRB_machine { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.245.250 realm DEMO.LOCAL user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }
Kerberos SSO for Application Pool account kerberos SSO
create apm sso kerberos SSO_KRB_AppPool { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.245.250 realm DEMO.LOCAL spn-pattern HTTP/%h user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }
I these commands, I set 2 variables:
session.krbsso.last.domain =
Session variable session.ad.last.actualdomain
session.krbsso.last.username =
AD Attribute sAMAccountName
Last week I provided powershell commands to a customer to create an AD for training. All trainee configured the LAB successfully!
The user account provided may work in AD forest with single domain. In AD forest with multiple domains, the account name format must be host/svc_f5_krb.demo.local