Forum Discussion
NimbostratusKerberos SSO without APM
Hi all,
Im wondering is it possible to get Kerberos SSO working via standard LTM VIP, without the use of APM (which im assuming is an extra add-on)?
If i connect to the servers direct, SSO works fine, but with VIP in line it breaks.
I got this working before with websense proxy servers, but it was a very bespoke deployment where the proxy servers mimicked the VIPs FQDN, but not a likely deployment here.
Without going into too much technical detail, is this achievable without APM? Can anyone recommend KBs on same?
v11.3
Thanks,
D
5 Replies
- Kevin_Stewart
Employee
In a word, no.
The problem is, as you've discovered with the websense proxy, that your client has to request a ticket for the correct service principal name (SPN), and it only knows that name by the URL it types into the browser. So your VIP FQDN has to mimic the backend server's SPN. You can do the exact same thing with an LTM VIP. If you want the device to proxy Kerberos, as in request tickets on the client's behalf to a SPN that is not the FQDN of the frontend VIP, then you need APM.
Stanislas_Piro2Cumulonimbus
If you want Client request Kerberos ticket for the server SPN, you must configure reverse DNS name of VIP with SPN known by application server.
I configured for one customer APM Kerberos Constraint Delegation for Exchange Servers load balanced by LTM in a dedicated appliance
I had following flow: APM --> LTM --> Exchange
Kerberos ticket needed to be created for LTM VIP and known by Exchange
The LTM VIP was define with PTR exch.company.local in DNS IIS Exchange services were started as user with SPN HOST/exch.company.local
superd_88943Thanks so much guys...... so in a nut shell, i really require APM here?
- Kevin_Stewart
Again, you can accomplish pass-through Kerberos if you mimic the internal SPN at the external FQDN. But otherwise yes you need APM.
- superd_88943
Thanks again Kevin ;)
