Replace Microsoft NLB with BIGIP 2200S

Hi,

I think you are facing multiple issues...

• APM Kerberos Constraint Delegation work with or without SNAT...
• SNAT is mandatory if server does not route back packet to client through BigIP.

Thank you very much.

The problem is that mt my customer doesn't have APM license.

So if you have Client and Server in the same VLAN it's mandatory to you SNAT.

If I may add, first and foremost (as Stanislas stated), as long as the clients and servers are on the same subnet you MUST enable SNAT. I'm a bit confused by the need to do Kerberos delegation here. Delegation requires that one service delegate to another on the client's behalf. A client requesting a Kerberos ticket on its own for a service isn't delegation, unless it's sending a forwarded ticket to another service for that service to delegate to a third service.

In the event that you just need non-delegated Kerberos, where the client requests a Kerberos ticket for the target service, SNAT shouldn't get in the way of that. The client will contact the KDC, get a ticket, and pass that ticket in an HTTP Authorization header to the server. It only gets tricky if there's a proxy server/load balancer between the client and server if that middle device masks the server's true name. A browser will derive the service principal name (SPN) for the ticket request from the HTTP URL, so if the BIG-IP VIP's FQDN is different than the real SPN of the backend service, Kerberos will fail. So for this to work you either need to make the VIP FQDN and backend service SPN/name the same, or employ APM.

In the event that you need delegated Kerberos, then you need a service to do that delegation. APM of course does that delegation.

I clirify a bit the my case. Client (10.172.200.100) contact Microsoft NLB (10.172.200.200) with FQND navservernlb.domain.lcl. Behind the VIP there is a couple of server navserver1.domain.lcl and navserver2.domain.lcl. Both navserverX.domain.lcl have to pass credential to a SQL server sqlserver.domain.lcl (on the same network), so we have to create a delegation on Active Directory for FQDN navservernlb.domain.lcl TCPPORT and username/password.

To replace this situation I have tried to configure a new FQDN name navserverF5.domain.lcl that points to the BIGIP virtual server and created a delegation like navservernlb.domain.lcl. I have configured a SNAT Pool and assigned to the Virtual server. When I try to connect to the VirtualServer (is not a web page but a NAV Client) on the SQL server arrives Anonymous authentication, as the credentials has disappeared between client and NavServer.

Here a more clear schema.

Thank you

Mauro

I believe the issue here is that the NLB server is a Windows box that can natively consume and delegate Kerberos tickets. Your clients are getting a ticket for the lb instance, which I believe is delegating to the server instances, which are then delegating to the SQL servers. The client doesn't know about the servers behind the load balancer, so they must be getting a ticket to the load balancer.

A BIG-IP LTM is not a member of an active directory domain, so it cannot on its own consume a Kerberos ticket. The client may be able to request and pass a ticket to it, but the LTM will simply forward that to the backend servers (which will fail). In order to do this multi-step delegation the client must present a valid Kerberos ticket to a service that can a) consume a ticket and b) perform Kerberos delegation. LTM cannot do this, but APM can.

Hi Kevin, I have activated APM module to do this, but now I'm blocked because I'm not able to configure this Kerberos Delegation. I have found some documentation but all refer to Logon Page to get the credential.

Have you got ideas or links to do this configuration

I don't have the documentation links in front of me right now, but you want to look for "end user" Kerberos authentication and "SSO" Kerberos authentication. The former is how you configure the client side - how APM will consume a Kerberos ticket, and the latter will configure server side - how APM will delegate to the next service.

May refer this

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/24.html

Thank you kunjan!

One question about the "Editing an access policy to support Kerberos SSO" section... What kind of Varaibles I have to add during the creation of Variable Assign Item?

The guide only explain that I have to create the item....

It seems to refer to extract the username from the client certificate. Not very clear how you get the username. I assume you trying to do kerberos SSO(KCD).