For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

boneyard's avatar
boneyard
Icon for MVP rankMVP
Jun 19, 2013

mixing SSO methods, i.e. ntlm, basic http and kerberos

i was wondering if i can freely mix SSO methods with a webtop implementation. currently im using NTLMV2 and HTTP basic together by configuring different SSO profiles on the portal access resources. t...
BIG-IP Access Policy Manager (APM)
remote access
security
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Jun 19, 2015

You need to configure KDC host or address or modify /etc/krb5.conf as described in https://support.f5.com/kb/en-us/solutions/public/16000/400/sol16483.html

 

variable needed to support kerberos are:

 

  • session.logon.last.domain with DNS domain name (DOMAIN.EXT and not DOMAIN)
  • session.sso.token.last.username with SAMAccountName of user

PTR of IP address of internal server must be defined the answer will be used to build SPN:

 

  • the simplified SPN of server is HTTP/ (used in Microsoft kerberos configuration)
  • The real SPN of the server is HTTP/@

In AD Configuration, the delegation user must have

 

  • its own SPN ex : HOST/user.domain.ext (configured in Attribute tab of the user or with the stspn command line)
  • delegation right on SPN Server (configured in delegation tab which appear after creating SPN of user)

With these configuration, every thing must work. (configure for 10 different customers without issue)