NimbostratusAPM SSO - Kerberos double hop delegation issue
Hi,
We are using APM per-app vpn for allowing mobile devices to access internal applications via VPN. Authentication is based on username/password and device certificate.
Some applications are doing SSO with Kerberos and it is working fine in a normal scenario, when only one delegation is performed (by the APM). In this scenario: Client credentials are delegated by F5 to the final application
However, we have another application (Alfresco) which by itself already performs Kerberos delegation to forward user credentials between different application components.
When accessing Alfresco via APM, then double hop delegation is done and it is not working. After taking some network traces we see that KDC returns a TGS ticket with ok-as-delegate flag but the SPNEGO packet sent from the F5, sends the flag "DO NOT DELEGATE" in the authenticator part.
Theorically, when the client (F5) receives a TGS with ok-as-delegate, GSSAPI should set the GSS_C_DELEG_FLAG.
Alfresco receives the AP-REQ packet and fails when checking the delegation information, honoring the client.
It looks like F5 Kerberos' client is not behaving as expected. We would like to know if there is any way to make sure the F5 kerberos client can set the Delegation Flag when receiving a TGS token with ok-as-delegate flag from the KDC.
Thanks in advance.