Kerberos SSO to IIS Web Application
We are trying to implement a clientless solution in which a user which is part of the domain, and accessing a web application from a machine in the same domain, would automatically be authenticated without user intervention.
I know there are lots of articles out there and I have read some tremendous write-ups on how this all works from Kevin Stewart and we believe we have most of the framework in place.
What is happening, it seems, is that a 401 authentication dialog is appearing to the user instead of the client requesting a kerberos ticket from AD and presenting it to the F5 APM to decrypt and process with the installed keytab file.
Specifically this is what I have for configuration:
Web site:
This hostname is represented in DNS and can be resolved both forward/reverse.
Client side accounts:
bill@synacktek.local - my AD domain account logged into a domain machine for testing. HTTP/sso-test.synacktek.local - account used for keytab file creation, imported to the F5, do I need to set kerberos delegation for this?
SSO Side account: HOST/kerberos-server.synacktek.local - SSO account for kerberos. Performed setspn and assigned delegation in AD for this to access web service WINDNS1 (this is where web server is located).
F5 SSO configuration which uses this account:
APM Policy:
Has 401 configured for negotiate, with branch feeding kerberos authentication (client side?) After this I have a couple of message boxes, the kerberos OK feeds a variable assign to help populate the sso side of the proxy configuation.
When connecting to the web URL I always get prompted with the 401 authentication.
I am certainly missing something here but do not know what it is.
Appreciate any help! Thx Bill