My issue in the Single-Sign-on (SSO) used by Kerberos Constrained Delegation when we redirect the traffic to the F5 load balancer.

Dears,

Anyone can help me in this?

Regards, Muhannad

Maybe you could give a more specific example of what exactly doesn’t work. What does the redirect to the load balancer look like? Somethings like a drawing may help us to get a better picture.

If I understand correctly, the Web Proxy portal is the Identity Provider (IDP) and the LTM/APM box in your setup is a Service Provider (SP). Have you established an SAML (Federation) connection between the LTM/APM box and the Azure Web Proxy?

Hi Niels,

No i didn't make any SAML Federation between them, can you please provide me with any documentations to test it?

Regards, Muhannad

Hi Niels,

I am visiting the client site tomorrow, i will try to collect all the data for further investigations and i will share it with you.

Many thanks for your kind support.

Regards, Muhannad

Hi Niels,

I have checked how the client environment operates for SSO with Azure Web Proxy, the solution is providing the client with two factor authentication then grant them seamless authentication to all the Web services, it is basically a proxy that redirect the requests from the cloud to Web servers in the datacenter and there is a connector that handle the Kerbores tickets with AD, the best article that can explain the solution can be found below: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-sso-using-kcd

Also i have done a packet sniffer from the server side when the F5-LTM bypassed, to see that the client is including an authorization negotiate when it is requesting the service (Kerboras ticket and token has been seen in the Get request, which means that there should be a kind of pre-authenticating process between Azure and AD when the client start the session.

I think that F5-APM should be part of this Kerberos Constrained Delegation process but i am not sure how this can be done.

I would appreciate your assistance about the proper integration that should be done from F5 side.

Thanks again for your help, Muhannad

In your setup, do you also use the Azure AD Proxy Connector or do you want to replace the Azure AD Proxy Connector with the BIG-IP? If you use both the Azure AD Proxy Connector and the BIG-IP, I think you don't need to use an APM Access Policy, because Kerberos Constrained Delegation is performed by the Azure AD Proxy Connector.

In our case we have the AD proxy connector making the delegation and it is working fine when the traffic flow to the Web Server directly but we are facing the issue when the traffic redirected to the LTM, we are unable to see the kerboras ticket in the client initial get, to be honest i am not sure why this trust domain failed once the traffic redirected to the LTM.

I would welcome any clue to check further the issue.

How do you redirect the traffic from the Web Proxy to the Server? Do you make changes in DNS? Kerberos is always picky on DNS. Make sure that the VIP on the BIG-IP has both A and PTR records set correctly.