Forum Discussion
MVPmixing SSO methods, i.e. ntlm, basic http and kerberos
i was wondering if i can freely mix SSO methods with a webtop implementation. currently im using NTLMV2 and HTTP basic together by configuring different SSO profiles on the portal access resources. the AAA server is microsoft active directory. this works fine.
but now i have a portal access resources which requires kerberos. can i just create the delegation user (give it access to that server), create a kerberos SSO profile, attach it to the portal access resource and am i good to go?
15 Replies
- Kevin_Stewart
Employee
Is SSO working?
If you can run a wireshark capture from the DC, you should see port 88 (Kerberos) traffic from the F5 to the DC. - boneyardit works now, don't quite understand if and if so why removing IP from the KDC field made it work, but it works now.
so i now have a webtop with three different types of SSO, working correctly together :)
thanks for the help Kevin.
for any others, a succesful Kerberos SSO looks like this in APM reporting
Websso Kerberos authentication for user 'user' using config '/DMZ/sso-profile'
\N: adding item to WorkQueue
sid: ctx:0x5961f370 server address = ::ffff:192.168.20.124
sid: ctx:0x5961f370 SPN = HTTP/hostname.domain.ext@DOMAIN.EXT
S4U ======> ctx: , sid: 0x5961f370, user: user@DOMAIN.EXT, SPN: HTTP/hostname.domain.ext@DOMAIN.EXT
in your packet trace towards the server on which Kerberos SSO is enabled you should see a GET request (if you perform a GET of course) with header Authorization: Negotiate and a big block of code for the auth information. 
dryk_00Nimbostratus
HEllo, is it possible to share how policy should look like for both aaa (client side) and sso (server side) authentication?
I am struggling with implementing such a flow:
User ------ any page except sso-login.htm ----> Big Ip ------ any page ---> server
User <----- response ----------------------------- BigIP <------- response ---- server
User ----- sso-login.html ------> BigIp User <----- 401 Negotiate-------- BigIp (if no valid previous kerb-Auth-ok cookie found)
User ----- TGT ---------------------> BigIP -------- request sso-login.htm ----> server
BigIP <-------- 401 Negotiate ----> server
BigIP -------- TGT as user ----> server User <---- response with kerb-Auth-Cookie -- BigIp <------- response --- server (if kerb auth OK
Stanislas_Piro2Cumulonimbus
You need to configure KDC host or address or modify /etc/krb5.conf as described in https://support.f5.com/kb/en-us/solutions/public/16000/400/sol16483.html
variable needed to support kerberos are:
- session.logon.last.domain with DNS domain name (DOMAIN.EXT and not DOMAIN)
- session.sso.token.last.username with SAMAccountName of user
PTR of IP address of internal server must be defined the answer will be used to build SPN:
- the simplified SPN of server is HTTP/ (used in Microsoft kerberos configuration)
- The real SPN of the server is HTTP/@
In AD Configuration, the delegation user must have
- its own SPN ex : HOST/user.domain.ext (configured in Attribute tab of the user or with the stspn command line)
- delegation right on SPN Server (configured in delegation tab which appear after creating SPN of user)
With these configuration, every thing must work. (configure for 10 different customers without issue)
- dryk_00
Hello,
thx for replying, is it possible to paste here how access policy looks like?
Thx in advance
