For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Doug_Pruiett_24's avatar
Doug_Pruiett_24
Icon for Nimbostratus rankNimbostratus
Feb 08, 2016

Multiple Windows Authentication Prompts after F5 Authentication

I am not the principle engineer on this issue, nor an F5 expert. I am part of a project that uses F5 and doing a little research to see if I can find help for an issue we are having.   The desire...
Secure Web Gateway
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 08, 2016

Okay, so there are few things to consider here:

 

  1. First and foremost APM needs to know what the SPN is for each target application. You can either set this manually with the SPN pattern in the SSO profile, or in lieu of that APM will perform a reverse DNS lookup using the server's IP address to get its hostname (ex. server1.domain.com) and then convert that to a SPN (ex. http/server1.domain.com@DOMAIN.COM). If you don't see the correct SPN in the APM log, then that's very likely the first problem.

     

  2. APM is going to perform Kerberos constrained delegation and protocol transition to the target application through a separate delegation account. This account should a) be set to "Trust this user for delegation to specified services only" and "use any authentication protocol", and b) have defined all of the HTTP SPNs for the applications that it will delegate to.