Forum Discussion

Baddogsettle_16's avatar
Baddogsettle_16
Icon for Nimbostratus rankNimbostratus
Jul 28, 2014

Multiple apps doing kerberos

Hi all...I am setting up a new BIG-IP environment (v.11.5.1) to front multiple backend services. What is the simplest way to have multiple services (i.e. webservice1.company.com, webservice2.complany.com, etc) that are completely separate fron one another, utilize kerberos from a single domain? Do I need to create a seperate keytab files for each service? If so, do these each need to utilize a differente service account?

 

Thanks,

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
design
LTM
security
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 20, 2017

    JdTokenRing,

     

    However if we did this same practice to say Sharepoint which uses host names for site rendering and its running under a service account, is that where I would need to configure that account for delegation and add a SPN for it in particular?

     

    Yes. You just have to make sure that APM is requesting a ticket for the correct service principal name.

     

    Is there a good Kerb reference you would recommend?

     

    The Kerberos RFCs (1510 and 4120) are a great (albeit dry) place to start, plus there a few books on Amazon that give it decent coverage.