Forum Discussion

Nimbostratus

Jul 28, 2014

Multiple apps doing kerberos

Hi all...I am setting up a new BIG-IP environment (v.11.5.1) to front multiple backend services. What is the simplest way to have multiple services (i.e. webservice1.company.com, webservice2.complany...

application delivery

BIG-IP Access Policy Manager (APM)

Employee

Dec 14, 2016

In a multi-domain configuration, you MUST use the user's sAMAccountName as the SSO username source, and the user's real domain as the SSO domain name source. APM Kerberos SSO doesn't support referrals, so users in domain1 work because no referrals are needed there. So for example:

session.sso.token.last.username = expr { "bob" }    <--- sAMAccountName
session.logon.last.domain = expr { "DOMAIN1.DOMAIN.COM" }

Are you switching between SSO profiles in the VPE? You don't need to do that if the delegation account and web service are in the same domain.

You also don't need the SSO credential mapping agent in a Kerberos SSO. You just need to populate the above SSO input variables.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Multiple apps doing kerberos

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

L7 DoS Protection with NGINX App Protect DoS

Multiple Ways to Configure Usage Reporting in NGINX

DoS Profiles

Kerberos is Easy - Part 2

Kerberos Is Easy - Part 1

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS