For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

East_Coast_1151's avatar
East_Coast_1151
Icon for Nimbostratus rankNimbostratus
Mar 19, 2013

Kerberos SSO with two realms

I am working on a solution depicted in the attached file.     Clients are expected to authenticate with a Form-Based front-end provided by F5 APM and using a back-end Active Directory forest ...
config
design
East_Coast_1151's avatar
East_Coast_1151
Icon for Nimbostratus rankNimbostratus
Mar 20, 2013
Posted By Kevin Stewart on 03/19/2013 07:56 AM

 

APM Kerberos SSO does support cross-forest trust as long as you specify the user's real realm. Are you specifying the user's domain name in the session.logon.last.domain variable? You may need to set it manually.

 

 

Also, are you seeing the server principal unknown error directly after the call for "krbtgt/Realm1@Realm2"? For cross-forest Kerberos to work both domains must be able to communicate and have a Kerberos keys in each others realms. So if you need to authenticate realm1 users to a realm2 service, the SSO agent must first get a ticket from its own domain for the KDC in the other domain (this is the krbtgt/Realm1@Realm2 ticket request). Once the SSO agent has this ticket, it uses it very much like a TGT to realm2 to request access to the service in realm2. The SSO agent must also be able to resolve both realms.

 

Thank you for the prompt response.

 

 

1. Yes, the user's realm is specified as the user's domain name ( session.logon.last.domain). I checked the variable value before SSO and it contains the good value.

 

2. Yes, I am seeing the error right after the cross-realm TGS request for . I tried to set a principal with the this exact name in Realm2 and the UNKNOWN PRINCIPAL error moved to the next step when APM tries to get a TGS for itself in the user's realm. This represents moving from the step 2 to the step 3 on the diagram below.

 

http://msdn.microsoft.com/en-us/library/cc246109.aspx

 

3. DNS records are good and all KDC and DC records are set correctly. I use Microsoft DNS in both forests and each of them has a stub zone for another forest. I see also in Wireshark traces that DNS records are all resolved properly.

 

4. The forest trust is established using standard Microsoft Active Directory GUI tools, so I have not played with manual settings for krbtgt keys and principals.

 

---

 

I did a lot of research today and encountered some vague mentions that the Kerberos S4U2Self feature might be not working with one-way trusts because some referrals might be missing.

 

Anyone can confirm that?

 

 

So I decided to try to give it a try and to make the trust bidirectionnal and ... surprise ... SSO started working properly.

 

However, I need to keep a one-way trust because the resource forest is located at a service provider site and our company can't trust it.

 

So I am still looking for a Kerberos solution with one-way trust and very interested to know if F5 APM support it.

 

 

Do you know if it is possible?

 

May be I can define manually some principals or spn without setting a complete two-way trust?

 

 

Thank you for your help