Forum Discussion

Nolan_Jensen_23's avatar
Nolan_Jensen_23
Icon for Nimbostratus rankNimbostratus
Apr 18, 2017

Setting up Kerberos Constrained Delegation

Hello,

 

I have been trying to get kerberos authentication to work from a domain joined computer to a windows IIS server and seem to be stuck. I have tried many things from a bunch of different post on devcentral but don't seem to be getting any closer. I was hoping I could post more of my specifics and see if someone could point out what I am missing. Keep in mind if I go directly to the web server I have confirmed that kerberos authentication is the method being used and is successful until I go through the F5. I am running version 11.6.1.

 

I believe that the main issue is because of the difference of our host name lab.cityoftest.org and our kerberos realm of DOMAIN.LCL. Since we want to use our wildcard cert for our public domain of *.cityoftest.org but all user names are using a user@DOMAIN.LCL I am not sure how to configure the internal dns A and PTR records to accommodate this scenario.

 

Here are my settings at this point as they may help better explain what I am trying to do.

 

Thank you for your time and help in advance!

 

AD delegate account

 

userPrincipleName: host/lab.cityoftest.org@DOMAIN.LCL

 

SPN: host/lab.cityoftest.org

 

Delegation Tab:

 

Trust this user for delegation to a specified services only, Use any authentication protocol

 

http IISServer.domain.lcl

 

Kerberos AAA Server config

 

Auth Realm: DOMAIN.LCL

 

Service Name: host

 

Keytab file details:

 

Principle = host/lab.cityoftest.org@DOMAIN.LCL

 

Encryption: arcfour-hmac

 

Access Policy Kerberos Auth Pointed at Kerberos AAA Server created above

 

AD Query has search filter: userPrincipalName=%{session.logon.last.username}

 

SSO Config

 

Method: Kerberos

 

Username Source: session.ad.last.attr.sAMAccountName

 

User Realm Source: session.logon.last.domain

 

Kerberos Realm: DOMAIN.LCL

 

KDC: (IP of one of the domain controllers)

 

Account Name: host/lab.cityoftest.org

 

APM Error 2017-04-17 15:27:52 metadata len 391

 

2017-04-17 15:27:52 \N: Could not find SSO domain, check variable assign agent setting

 

2017-04-17 15:27:52 Websso Kerberos authentication for user 'John' using config '/Common/WebApplication_2'

 

2017-04-17 15:27:52 \N: adding item to WorkQueue

 

2017-04-17 15:27:52 sid: ctx:0x59b1aff0 server address = ::ffff:10.10.10.1

 

2017-04-17 15:27:52 sid: ctx:0x59b1aff0 SPN = HTTP/IISServer.domain.lcl@DOMAIN.LCL

 

2017-04-17 15:27:52 Kerberos: realm for user John is not set, using server's realm DOMAIN.LCL

 

2017-04-17 15:27:52 S4U ======> ctx: , sid: 0x59b1aff0, user: John@DOMAIN.LCL, SPN:

 

HTTP/IISServer.domain.lcl@DOMAIN.LCL

 

2017-04-17 15:27:52 Kerberos: Failed to get ticket for user John@DOMAIN.LCL

 

2017-04-17 15:27:52 \N: failure occurred when processing the work item

 

application delivery
BIG-IP Access Policy Manager (APM)
kerberos
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Apr 19, 2017

    Hi,

    What do you want to configure? Kerberos authentication, Kerberos Contrained Delegation (SSO) or both?

    to configure Kerberos auth, I use following powershell commands:

    New-ADUser -Name "APM Kerberos Authentication Account" -UserPrincipalName svc_f5_krb_auth@demo.local -SamAccountName "svc_f5_krb_auth" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)
Set-AdUser -Identity svc_f5_krb_auth -ServicePrincipalNames @{Add="host/app1-ext.demo.local"}
ktpass -princ HTTP/app1.demo.local@demo.local -mapuser svc_f5_krb_auth@demo.local -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass P@ssw0rd -out c:\Shared\svc_f5_krb_authv.keytab

    to configure Kerberos SSO, I use following powershell commands:

    New-ADUser -Name "APM Delegation Account" -UserPrincipalName svc_f5_krb@demo.local -SamAccountName "svc_f5_krb" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)
Set-AdUser -Identity svc_f5_krb -ServicePrincipalNames @{Add="host/svc_f5_krb.demo.local"} 
Get-AdUser -Identity svc_f5_krb | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="http/app1.demo.local"} 
Set-ADAccountControl -Identity svc_f5_krb -TrustedForDelegation $false
Set-ADAccountControl -Identity svc_f5_krb -TrustedToAuthForDelegation $true

    then, I create kerberos SSO in APM:

    create apm sso kerberos SSO_KRB_machine { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.245.250 realm DEMO.LOCAL user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }

    to make Kerberos SSO working, you must assign 2 variables:

    • domain (must be user realm = domain FQDN)
      • session.logon.last.domain (default value)
      • session.krbsso.last.domain (in my kerberos SSO configuration)
    • username (must be user sAMAccountName)
      • session.logon.last.username (default value)
      • session.krbsso.last.username (in my kerberos SSO configuration)
Related Content