kerberos

Nimbostratus

Feb 08, 2010

Posted By RyanLRoy on 12/10/2009 12:34 AM

When you say "create an SPN for this dns name and with the userid being used to configure kerberos" which userid are you referring too? In our environment we have four servers which are load balanced. Kerberos based SSO is working on each individual server but is failing when going through the virtual ip. We have an AD user which corresponds to each physical machine. I believe the setspn command was then run for each of these users specifying the corresponding dns name of that server.

Does that mean we should then create another AD user to represent the load balancer and run setspn specifying the virtual ip and the AD user we set up? Do you know if this AD user would have to be marked as an eligible delegate?

It depends what you are trying to accomplish here: IF you do not need the LTM to act as an SSO gateway for connecting to multiple different services and applications (web sites), then you could leave the load-balancing in a passive state where it will not impact the authentication to the servers. To do that, you would run all of your IIS services for this given site with the same user ID and configure an SPN on the service account to match the DNS name of the site. That way, the client would get a Kerberos ticket that would be valid on any of the four web servers for that site, regardless of the LTM's choice of servers to point them to at the time.

If you want the LTM to handle Kerberos delegated connections, for Internet portal situations for instance, then you would need to configure the LTM as a Kerberos realm member for AD and provide user session and kerberos proxy cababilities from there, though I am not sure of the process for that. IT is my understanding that it does allow for this, though I assume you host a forms-based authentication page behind the LTM to handle the initial authentication, and then the LTM performs the Kerberos protocol transition and then acts as the user session for the session when connecting to the sites behind it. This is necessary when users are outside the network and unable to get a Kerberos ticket and similar scenarios.

I am trying to figure that one out now, but have not seen any guidance on it so far. I know the AD/Kerberos side.

Forum Discussion

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

Kerberos is Easy - Part 2

Kerberos Is Easy - Part 1

APM Cookbook: Single Sign On (SSO) using Kerberos

Forgotten Boa, Aurora botnet, Kerberos & Twitter - Nov 19th-25th - F5 SIRT - This Week in Security

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS