For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 09, 2015

I believe the issue here is that the NLB server is a Windows box that can natively consume and delegate Kerberos tickets. Your clients are getting a ticket for the lb instance, which I believe is delegating to the server instances, which are then delegating to the SQL servers. The client doesn't know about the servers behind the load balancer, so they must be getting a ticket to the load balancer.

 

A BIG-IP LTM is not a member of an active directory domain, so it cannot on its own consume a Kerberos ticket. The client may be able to request and pass a ticket to it, but the LTM will simply forward that to the backend servers (which will fail). In order to do this multi-step delegation the client must present a valid Kerberos ticket to a service that can a) consume a ticket and b) perform Kerberos delegation. LTM cannot do this, but APM can.