For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

East_Coast_1151's avatar
East_Coast_1151
Icon for Nimbostratus rankNimbostratus
Mar 19, 2013

Kerberos SSO with two realms

I am working on a solution depicted in the attached file.     Clients are expected to authenticate with a Form-Based front-end provided by F5 APM and using a back-end Active Directory forest ...
config
design
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Mar 25, 2013
Good call on the selective two-way trust.

 

 

As to your question, I can't speak authoritatively, but I'd make the following points:

 

 

1. This isn't a Kerberos spec issue, other than the requirement for two-way trusts when doing S4U.

 

2. F5's Access Policy Manager module functions as an authentication PROXY, by design. By this I'm specifically talking about a full proxy, where client side and server side authentication processes are essentially separate things (like TCP and SSL sessions). You actually do import a keytab file for client side authentication, but that again is separate from server side authentication.

 

3. Most importantly I think, APM operates at the application layer (mostly HTTP), so you're not really dealing with user principal names (user authentication) but rather service principal names (service requests).