For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

East_Coast_1151's avatar
East_Coast_1151
Icon for Nimbostratus rankNimbostratus
Mar 19, 2013

Kerberos SSO with two realms

I am working on a solution depicted in the attached file.     Clients are expected to authenticate with a Form-Based front-end provided by F5 APM and using a back-end Active Directory forest ...
config
design
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Mar 19, 2013
APM Kerberos SSO does support cross-forest trust as long as you specify the user's real realm. Are you specifying the user's domain name in the session.logon.last.domain variable? You may need to set it manually.

 

 

Also, are you seeing the server principal unknown error directly after the call for "krbtgt/Realm1@Realm2"? For cross-forest Kerberos to work both domains must be able to communicate and have a Kerberos keys in each others realms. So if you need to authenticate realm1 users to a realm2 service, the SSO agent must first get a ticket from its own domain for the KDC in the other domain (this is the krbtgt/Realm1@Realm2 ticket request). Once the SSO agent has this ticket, it uses it very much like a TGT to realm2 to request access to the service in realm2. The SSO agent must also be able to resolve both realms.