Setting up Kerberos Constrained Delegation

Hi,

What do you want to configure? Kerberos authentication, Kerberos Contrained Delegation (SSO) or both?

to configure Kerberos auth, I use following powershell commands:

New-ADUser -Name "APM Kerberos Authentication Account" -UserPrincipalName svc_f5_krb_auth@demo.local -SamAccountName "svc_f5_krb_auth" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)
Set-AdUser -Identity svc_f5_krb_auth -ServicePrincipalNames @{Add="host/app1-ext.demo.local"}
ktpass -princ HTTP/app1.demo.local@demo.local -mapuser svc_f5_krb_auth@demo.local -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass P@ssw0rd -out c:\Shared\svc_f5_krb_authv.keytab 

to configure Kerberos SSO, I use following powershell commands:

New-ADUser -Name "APM Delegation Account" -UserPrincipalName svc_f5_krb@demo.local -SamAccountName "svc_f5_krb" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)
Set-AdUser -Identity svc_f5_krb -ServicePrincipalNames @{Add="host/svc_f5_krb.demo.local"} 
Get-AdUser -Identity svc_f5_krb | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="http/app1.demo.local"} 
Set-ADAccountControl -Identity svc_f5_krb -TrustedForDelegation $false
Set-ADAccountControl -Identity svc_f5_krb -TrustedToAuthForDelegation $true

then, I create kerberos SSO in APM:

create apm sso kerberos SSO_KRB_machine { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.245.250 realm DEMO.LOCAL user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }

to make Kerberos SSO working, you must assign 2 variables:

• domain (must be user realm = domain FQDN)
  • session.logon.last.domain (default value)
  • session.krbsso.last.domain (in my kerberos SSO configuration)
• username (must be user sAMAccountName)
  • session.logon.last.username (default value)
  • session.krbsso.last.username (in my kerberos SSO configuration)