Forum Discussion
NimbostratusNeed help with kerberos delegation
So whoever didn't run when you saw the word kerberos, thank you. I am using the instructions located here to set up kerberos delegation: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementation/sol_kerberos_delegation.html
I've added my domain to the F5. My problem is, I don't understand how I am supposed to add the F5 virtual servers to my domain. This is the line they give you:
domaintool --join --admin_principal --host
What I don't understand is the --host portion. It says to use the FQDN of the virtual server you want to add...well, that doesn't exist in any context according to my domain...so all I get is a cannot lookup hostname error. My DNS resolves forward and backward, but what I don't understand is what object is it looking for?
I have added the SPNs for the back end resources to the user account I created for kerberos delegation...but how do I connect the virtual servers to my domain? Do I have to create AD user accounts for them first? what should I be putting in that --host ? What's the syntax? Could someone provide an example or maybe shine some light on this? I would greatly appreciate it. Thank you.
4 Replies
kunjanAre you on 10.x version? Just wondering if you are looking at the rite doc.
M0d3u52014_1653I am on 11.4.1. I never even thought of it as version specific. Is this something I should maybe be doing with APM instead? The domain is functional 2008 R2 level if that matters.
- M0d3u52014_1653
Ok I have switched to the document for my version. Still confused as to how the virtual server gets onto the domain. It says:
In the Client Principal Name field, type the name of the client principal, using the format HTTP/[name], where name is the name of the virtual server you created to use here
Ok, fair enough...but how does my windows domain know what this virtual server is? It is an object that exists on the F5...there is no user associated with it on the domain to attach service principles to. Where is the connection? There is something fundamental about this I am not getting.
I followed the configuration document to the letter and the site stopped responding altogether.
- kunjan
Better to follow this soln. https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-4-0/4.html
The steps to create delegation account
There is no reference to Virtual server created on APM. When APM connects to the back end server IP address, it uses the PTR record to find the corresponding SPN. This is provided you leave 'SPN Pattern' under kerberos SSO screen empty
You can enable debug for sso, cli using
tmsh modify sys db log.sso.level value debug
Let us know how it goes..
