Forum Discussion
mongrol_63460
Nimbostratus
Nimbostratusldap/ with kerberos through F5
Hi,
We have an F5 BigIP load balanced address fronting a few Domain
Controllers in our AD (e.g. adldap.domain.com). We have OpenLDAP clients
using this Virtual address to do lookups on AD and we wish to have the
clients authenticate using Kerberos instead of a normal LDAPS bind. We're
having trouble understanding how or where we create SPN's to allow the Domain
Controllers to accept service tickets for this virtual address. Normally in a
situation like this you set the SPN on the user account that runs the service. The
LDAP service runs on the Domain Controllers computer account which leads me
to believe we need an SPN set on the DC computer objects. However, you can
only have 1 SPN per forest.
If we do the following then we can have separate SPN's per DC.
setspn -A ldap//adldap.domain.com
However, when the client asks for a Service Ticket, which SPN would he get? When he goes back to the F5 to present his ticket he would be forwarded to a random DC and may not have the ticket. Or is he given a Service Ticket for all DC's that provide that service?
Ravi_Rajan_7549Hi,
I think in the latest versions, kerberos delegation module has been introduced. You might check this out.
~Ravi
Will_F_98397I've done a similar thing with some WCF/SOAP applications requiring Kerberos tickets/authentication, created a DNS name referencing the virtual server IP Address in active directory DNS and then assigned a SPN using this DNS entry. The SPN would be that of the DNS entry.
There's a link on the microsoft website which explain's using IIS and Load Balanced environments, very similar setup I would assume.
http://technet.microsoft.com/en-us/library/bb633031.aspx
Also checkout 'Troubleshooting Kerberos Delegation' I found this a useful document.
Running BigIP 9.3.1