Forum Discussion

East_Coast_1151's avatar
East_Coast_1151
Icon for Nimbostratus rankNimbostratus
Mar 18, 2013

Kerberos SSO with two realms

I am working on a solution depicted in the attached file.     Clients are expected to authenticate with a Form-Based front-end provided by F5 APM and using a back-end Active Directory forest ...
config
design
East_Coast_1151's avatar
East_Coast_1151
Icon for Nimbostratus rankNimbostratus
Mar 22, 2013
Hi Kevin,

 

 

Thank you for the confirmation.

 

Given these constraints, now we are considering two options:

 

- NTLM

 

- Two-way trust with Selective Authentication

 

Regardless the two-way trust, the second option can be set up secure enough to block all authentication request coming from the "untrusted" domain but to still permit cross-forest features. I tested it with success.

 

 

I'm also wondering why F5 (an other concurrent devices) use only Kerberos delegation features and can't be configured as regular Windows domain computers, i.e. to take user's username/password and request TGT/TGS directly for the user account instead of its own device account.

 

Is this something that goes against Kerberos specs?
AN's avatar
AN
Icon for Nimbostratus rankNimbostratus
Dec 12, 2016

@East Coast: HOw you achieve SPN configuration across forest? I am running into issue where my 2 domains are part of same forest but services only reside on domain1 and I want to authenticate both domain1 and domain2 users. I am doing AAA authentication key tab file from doamin1 and it's working for both domain1 and domain2 users. But I am running into issue with SSO configuration I have two SSO one for domain1 and second for domain2. Domain1 SSO works fine but domain2 is running into issue. For Kerberos Authentication on F5, do we need to use both AAA Kerberos and SSO Kerberos? I am running into the issue for kerberos SSO to work with two domains part of same forest with two way trust. I can access server URL with kerberos and works fine for both domains

 

We have domain1 and domain2 inherited from Domainmain and have two way transitive trusts between forests.

 

Our APM policy as follows: 401->(negotiate)->Kerberos Auth-> SSO Credential Mapping-> Check incoming users domain-> if "@domain1" -> "WEBSSO::select /Common/SSO-domain1" -> domain1-variable-assigned (using split) -> allow if "@domain2" -> "WEBSSO::select /Common/SSO-domain2" -> domain2-variable-assigned (using split) -> allow

 

Since all services resides in domain1 we have service account mapped in domain1 to SPN HTTP/URL.com@domain1. We have user account also in domain2 that we are using in Domain2 SSO configuration with setspn to HTTP/URL.com@domain2

 

It works fine for domain1 user (both AAA kerberos and SSO). AAA Kerberos works fine for domain2 but fails at SSO. Found following in logs:

 

Dec 12 15:21:47 uat-f5-ve debug websso.0[10974]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: user@domain2 server: HTTP/xyz.com@domain2 - trying to fetch Dec 12 15:21:47 uat-f5-ve debug websso.0[10974]: 014d0001:7: S4U ======> trying to fetch S4U2Proxy ticket for user: user@domain2 server: HTTP/xyz.com@domain2 Dec 12 15:21:47 uat-f5-ve debug websso.0[10974]: 014d0046:7: /frontend/Kerberos-AP:frontend:b49e4d37: adding item to WorkQueue Dec 12 15:21:47 uat-f5-ve err websso.0[10974]: 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/xyz.com@domain2 - KDC policy rejects request (-1765328372) Dec 12 15:21:47 uat-f5-ve err websso.0[10974]: 014d0024:3: /frontend/Kerberos-AP:frontend:b49e4d37: Kerberos: Failed to get ticket for user user@domain2 Dec 12 15:21:47 uat-f5-ve err websso.0[10974]: 014d0048:3: /frontend/Kerberos-AP:frontend:b49e4d37: failure occurred when processing the work item Dec 12 15:21:47 uat-f5-ve debug websso.0[10974]: 014d0001:7: ctx: 0xa0e4630, SERVER: TMEVT_NOTIFY Dec 12 15:21:47 uat-f5-ve debug websso.0[10974]: 014d0001:7: ctx: 0xa0e4630, SERVER: TMEVT_RESPONSE