For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 06, 2015

If I may add, first and foremost (as Stanislas stated), as long as the clients and servers are on the same subnet you MUST enable SNAT. I'm a bit confused by the need to do Kerberos delegation here. Delegation requires that one service delegate to another on the client's behalf. A client requesting a Kerberos ticket on its own for a service isn't delegation, unless it's sending a forwarded ticket to another service for that service to delegate to a third service.

 

In the event that you just need non-delegated Kerberos, where the client requests a Kerberos ticket for the target service, SNAT shouldn't get in the way of that. The client will contact the KDC, get a ticket, and pass that ticket in an HTTP Authorization header to the server. It only gets tricky if there's a proxy server/load balancer between the client and server if that middle device masks the server's true name. A browser will derive the service principal name (SPN) for the ticket request from the HTTP URL, so if the BIG-IP VIP's FQDN is different than the real SPN of the backend service, Kerberos will fail. So for this to work you either need to make the VIP FQDN and backend service SPN/name the same, or employ APM.

 

In the event that you need delegated Kerberos, then you need a service to do that delegation. APM of course does that delegation.