APM Cookbook: Single Sign On (SSO) using Kerberos
To get the APM Cookbook series moving along, I’ve decided to help out by documenting the common APM solutions I help customers and partners with on a regular basis. Kerberos SSO is nothing new, but seems to stump people who have never used Kerberos before. Getting Kerberos SSO to work with APM is straight forward once you have the Active Directory components configured. Overview I have a pre-configured web service (IIS 7.5/Sharepoint 2010) that is configured for Windows Authentication, which will send a “Negotiate” in the header of the “401 Request for Authorization”. Make sure the web service is configured to send the correct header before starting the APM configuration by accessing the website directly and viewing the headers using browser tools. In my example, I used the Sharepoint 2010/2013 iApp to build the LTM configuration. I’m using a single pool member, sp1.f5.demo (10.10.30.2) listening on HTTP and the Virtual Server listening on HTTPS performing SSL offload. Step 1 - Create a delegation account on your domain 1.1 Open Active Directory Users and Computers administrative tool and create a new user account. User logon name: host/apm-kcd.f5.demo User logon name (pre-Windows 2000): apm-kcd Set the password and not expire 1.2 Alter the account and set the servicePrincipcalName. Run setspn from the command line: setspn –A host/apm-kcd.f5.demo apm-kcd A delegation tab will now be available for this user. Step 2 - Configure the SPN 2.1 Open Active Directory Users and Computers administrative tool and select the user account created in the previous step. Edit the Properties for this user Select the Delegation tab Select: Trust this user for delegation to specified services only Select: Use any authentication protocol Select Add, to add services. Select Users or Computers… Enter the host name, in my example I will be adding HTTP service for sp1.f5.demo (SP1). Select Check Names and OK Select the http Service Type and OK 2.2 Make sure there are no duplicate SPNs and run setspn –x from the command line. Step 3 - Check Forward and Reverse DNS DNS is critical and a missing PTR is common error I find when troubleshooting Kerberos SSO problems. From the BIG-IP command line test forward and reverse records exist for the web service using dig: # dig sp1.f5.demo ;; QUESTION SECTION: ;sp1.f5.demo. IN A ;; ANSWER SECTION: sp1.f5.demo. 1200 IN A 10.10.30.2 # dig -x 10.10.30.2 ;; QUESTION SECTION: ;2.30.10.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 2.30.10.10.in-addr.arpa. 1200 IN PTR sp1.f5.demo. Step 4 - Create the APM Configuration In this example I will use a Logon Page to capture the user credentials that will be authenticated against Active Directory and mapped to the SSO variables for the Kerberos SSO. 4.1 Configure AAA Server for Authentication Access Policy >> AAA Servers >> Active Directory >> “Create” Supply the following: Name: f5.demo_ad_aaa Domain Name: f5.demo Domain Controller: (Optional – BIG-IP will use DNS to discover if left blank) Admin Name and Password Select “Finished" to save. 4.2 Configure Kerberos SSO Access Policy >> SSO Configurations >> Kerberos >> “Create” Supply the following: Name: f5.demo_kerberos_sso Username Source: session.sso.token.last.username User Realm Source: session.ad.last.actualdomain Kerberos Realm: F5.DEMO Account Name: apm-kcd (from Step 1) Account Password & Confirm Account Password (from Step1) Select “Finished” to save. 4.3 Create an Access Profile and Policy We can now bring it all together using the Visual Policy Editor (VPE). Access Policy >> Access Profiles >> Access Profile List >> “Create” Supply the following: Name: intranet.f5.demo_sso_ap SSO Configuration: f5.demo_kerberos_sso Languages: English (en) Use the default settings for all other settings. Select “Finished” to save. 4.4 Edit the Access Policy in the VPE Access Policy >> Access Profiles >> Access Profile List >> “Edit” (intranet.f5.demo_sso_ap) On the fallback branch after the Start object, add a Logon Page object. Leave the defaults and “Save”. On the fallback branch after the Logon Page object, add an AD Auth object. Select the Server Select “Save” when your done. On the Successful branch after the AD Auth object, add a SSO Credential Mapping object. Leave the defaults and “Save”. On the fallback branch after the SSO Credential Mapping, change Deny ending to Allow. The finished policy should look similar to this: Don't forget to “Apply Access Policy”. Step 5 – Attach the APM Policy to the Virtual Server and Test 5.1 Edit the Virtual Server Local Traffic >> Virtual Servers >> Virtual Server List >> intranet.f5.demo_vs Scroll down to the Access Policy section and select the Access Profile. Select “Update” to save. 5.2 Test Open a browser, access the Virtual Server URL (https://intranet.f5.demo in my example), authenticate and verify the client is automatically logged on (SSO) to the web service. To verify Kerberos SSO has worked correctly, check /var/log/apm on APM by turning on debug. You should see log events similar to the ones below when the BIG-IP has fetched a Kerberos Ticket. info websso.1[9041]: 014d0011:6: 33186a8c: Websso Kerberos authentication for user 'test.user' using config '/Common/f5.demo_kerberos_sso' debug websso.1[9041]: 014d0018:7: sid:33186a8c ctx:0x917e4a0 server address = ::ffff:10.10.30.2 debug websso.1[9041]: 014d0021:7: sid:33186a8c ctx:0x917e4a0 SPN = HTTP/sp1.f5.demo@F5.DEMO debug websso.1[9041]: 014d0023:7: S4U ======> ctx: 33186a8c, sid: 0x917e4a0, user: test.user@F5.DEMO, SPN: HTTP/sp1.f5.demo@F5.DEMO debug websso.1[9041]: 014d0001:7: Getting UCC:test.user@F5.DEMO@F5.DEMO, lifetime:36000 debug websso.1[9041]: 014d0001:7: fetched new TGT, total active TGTs:1 debug websso.1[9041]: 014d0001:7: TGT: client=apm-kcd@F5.DEMO server=krbtgt/F5.DEMO@F5.DEMO expiration=Tue Apr 29 08:33:42 2014 flags=40600000 debug websso.1[9041]: 014d0001:7: TGT expires:1398724422 CC count:0 debug websso.1[9041]: 014d0001:7: Initialized UCC:test.user@F5.DEMO@F5.DEMO, lifetime:36000 kcc:0x92601e8 debug websso.1[9041]: 014d0001:7: UCCmap.size = 1, UCClist.size = 1 debug websso.1[9041]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: test.user@F5.DEMO server: HTTP/sp1.f5.demo@F5.DEMO - trying to fetch debug websso.1[9041]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for user: test.user@F5.DEMO - trying to fetch debug websso.1[9041]: 014d0001:7: S4U ======> - fetched S4U2Self ticket for user: test.user@F5.DEMO debug websso.1[9041]: 014d0001:7: S4U ======> trying to fetch S4U2Proxy ticket for user: test.user@F5.DEMO server: HTTP/sp1.f5.demo@F5.DEMO debug websso.1[9041]: 014d0001:7: S4U ======> fetched S4U2Proxy ticket for user: test.user@F5.DEMO server: HTTP/sp1.f5.demo@F5.DEMO debug websso.1[9041]: 014d0001:7: S4U ======> OK! Conclusion Like I said in the beginning, once you know how Kerberos SSO works with APM, it’s a piece of cake!APM Kerberos Auth or fallback to another authentication method
Problem this snippet solves: This iRule can be used when it is required to offer both Kerberos authentication and for example SAML or another authentication method in a mixed environment for devices that are domain joined and devices that are not domain joined. This iRule uses javascript and HTML5 Web Workers to determine if the browser can successfully authenticate by using Kerberos or will need to fallback to another authentication method. I've been testing this iRule with Internet Explorer, Edge, Firefox and Chrome. All these browsers seem to be working fine. Only Chrome seems to do things a bit differently and is showing a login prompt for a split second, but it's working. How to use this snippet: The screenshot below shows an example of an Access Policy that uses either Kerberos or SAML authentication. The first agent in the policy is an 'Empty Agent' which will read the session.custom.domainjoined variable to determine which authentication method to use. The session.custom.domainjoined variable is set by the kerberos_auth_or_fallback_auth iRule. Tested this on version: 13.0 Link to iRule https://github.com/nvansluis/f5.kerberos_auth_or_fallback_authTransparent Kerberos Authentication and APM fallback authentication
Problem this snippet solves: This iRule can be used when it is required to offer both Kerberos authentication (transparent, non-APM) and for example SAML or another APM authentication method in a mixed environment for devices that are domain joined and devices that are not domain joined. This iRule uses javascript and HTML5 Web Workers to determine if the browser can successfully authenticate by using Kerberos or will need to fallback to another authentication method. I've been testing this iRule with Internet Explorer, Edge, Firefox and Chrome. All these browsers seem to be working fine. Only Chrome seems to do things a bit differently and is showing a login prompt for a split second, but it's working. How to use this snippet: Create a Virtual Server that delivers a webserver that uses Kerberos Authentication. Create APM Access Policy that will perform the fallback authentication. Add this iRule to the Virtual Server that holds the APM access policy to perform the fallback authentication. Tested this on version: 13.0 Location of iRule https://github.com/nvansluis/f5.transparent_kerberos_auth_or_apm_authentication
Kerberos is Easy - Part 2
Yes my friends, this post has been long overdue. Life, work and all the other good excuses got in the way. However, there is nothing like a friend calling you out with a “WTF I need part 2” to get the motivation and kerberos mana flowing again. So where did we leave off? In part 1 we discussed some of the most common issues with Kerberos authentication and the necessity to break the problem down to client-side vs server-side authentication. In part 2 we will look at some of the first troubleshooting steps I take to determine why nothing is working - yes, this happens to me too. ADTest is Your New BF4L You know those people that open a web browser to see if their Internet works… yea, don’t be that person. Open a terminal, check if you can ping your gateway, public DNS server, etc. and then, only then, open a browser. ADTest is your equivalent of ping. Don’t assume because you configured an Active Directory AAA object that authentication is just going to work. Please open a console and verify that Kerberos authentication against the AD server is working with ADTest. Check out my APM Troubleshooting with ADTest for more information. Time is not on Your Side If you have worked with Kerberos before you know it is supper picky about time drift. If ADTest just won’t work and you can’t figure out why ensure the BIG-IP’s time matches the KDC. If you need to adjust the BIG-IP follow the F5 SOL3381. These Are Not the KDCs You’re Looking For Ever been in a multi-domain environment and the AD admin swears the KDC you’re talking to is the correct one; never mind the “Kerberos Principal Unknown” error you keep getting. So if ADTest doesn’t work then we need to ensure the AD server we’re talking to is a KDC for the expected realm. Now, if someone can RDP into the server this can be ruled out pretty quickly, but when in life is anything that easy. So it’s helpful to use nslookup to find all KDCs for the intended domain and ensure the IP you were give is in this list - example below: C:\Users\user>nslookup -type=SRV _kerberos._tcp.dc._msdcs.f5demo.com Server: ad1.f5demo.com Address: 10.1.10.2 _kerberos._tcp.dc._msdcs.f5demo.com SRV service location: priority = 0 weight = 100 port = 88 svr hostname = ad1.f5demo.com ad1.f5demo.com internet address = 10.1.10.2 ad1.f5demo.com internet address = 10.1.1.3 Playing Go Fish with SPNs You have to admire how Microsoft took something as complicated as Kerberos and made it trivial to deploy and manage inside of Active Directory. Having managed MIT and MS version of Kerberos myself I felt a little guilty after setting up my first AD server without hours of troubleshooting issues. However, with that ease of use Microsoft also made it easy to shoot your own foot off if you have no basic understanding of Kerberos. Think of the KDC as a key, value pair database. The KDC will let you store multiple keys of the same value even though you shouldn’t do that. So if you have multiple SPN entries in AD you are not guarantied that a request for a ticket will return the value you’re looking for. This typically presents itself in APM as authentication works onetime and not the other. An easy way to check this is to log into a domain machine and issue: setspn -X This will print out any duplicate SPNs in your KDC. If the SPN you are working with appears in this list then you need to correct this issue. The easiest way I find is to delete the service account you have created for APM and just use the service account the web server application pool is using. Cached Tickets APM caches Kerberos tickets for both client side Kerberos authentication and server side Kerberos SSO. If you’re troubleshooting Kerberos be sure to clear these caches after you’ve made modifications. For Kerberos AAA: bigstart restart apd rba For Kerberos SSO: bigstart restart websso I’ll Just Do It Myself If you are working with Kerberos SSO then you have to sometimes determine if the issue is with APM obtaining the token or the web server not accepting the token. If you have your WebSSO logging set to debug and Kerberos SSO is working then you should see S4U=====>OK If not, then there are a few CLI commands you can use to simulate the request APM makes to the KDC. First, remove all kerberos tickets. kdestroy Second, obtain a kerberos ticket as the AD delegation account (if this works you won’t get a response) kinit -f <SPN of AD delegation account> Finally, test if the ticket you obtain has delegation capabilities knvo -C -U <username> <SPN of AD delegation account> If you receive a key version number on the kvno command then everything is working and it proves that ASREQ and RSREQ work. So the issue more than likely is on the web server side and not the F5 - more on this in part 3.
Outlook Anywhere and NTLM authentication
Hello, I am trying to achieve Outlook Anywhere with basic-NTLM and Kerberos SSO. I followed the DG and am stucked at NTLM authentication. When I create the NTLM Machine Account the logs say that it joined the domain, then I create the NTLM Auth Configuration with my domain and DCs. After that I see this messages in the logs: nlad[11851]: 01620000:3: <0x2b3374f71700> nlclnt[12a02a8c0] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC 192.168. I added some Exchange groups to the machine account and enabled delegation for http with Exchange servers. I then try to renew machine account password but I have this error: adutil[16625]: 01490274:5: (null):Common:00000000: New master key received. adutil[16625]: 01490200:3: ERROR: Could not connect to domain domain controller of realm 'EXAMPLE.AD' adutil[16625]: 01490200:3: WARNING: machine account update for 'f5apm' failed: Preauthentication failed, principal name: f5apm@EXAMPLE.AD. Invalid user credentials. (-1765328360) Then I took a look at Kerberos trafic and could see that the bigip can't get a Kerberos ticket: At this step I am not even talking about Kerberos SSO which I think has nothing to do with NTLM. I have found K33692321 but it doesn't help. I also took a look at K08915521. It says that it may be a domain name or NetBIOS name issue but I know that my domain is EXAMPLE.AD and NetBIOS EXAMPLE. Does someone already managed to make this work ? It is a standard configuration so am I missing something Windows side ? Best regards
Problem with Kerberos in iApp for Exchange 2013
Hey, I have set up an iApp for Exchange 2013 (f5.microsoft_exchange_2010_2013_cas.v1.3.0) on BIGIP 11.4.1. Now, Autodiscover won't work and to me it looks like some kerberos problem. I have reviewed the config following https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos, but instead of fetched S4U2Self ticket for user: test.user@F5.DEMO I get the following: May 26 17:52:10 F5BIGIP03 info websso.1[13873]: 014d0011:6: 1c8813d7: Websso Kerberos authentication for user 'testuser' using config '/PTA_Gruppe/PTAexchange.app/exchange_ntlm_kerberos_sso' May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0046:7: 1c8813d7: adding item to WorkQueue May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0018:7: sid:1c8813d7 ctx:0x8f9e528 server address = ::ffff:172.17.27.192 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0021:7: sid:1c8813d7 ctx:0x8f9e528 SPN = HTTP/exmbx01.domain.com@DOMAIN.COM May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0023:7: S4U ======> ctx: 1c8813d7, sid: 0x8f9e528, user: testuser@DOMAIN.COM, SPN: HTTP/exmbx01.domain.com@DOMAIN.COM May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: Getting UCC:testuser@DOMAIN.COM@DOMAIN.COM, lifetime:36000 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: fetched new TGT, total active TGTs:1 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: TGT: client=host/bigip_ntlmuser@DOMAIN.COM server=krbtgt/DOMAIN.COM@DOMAIN.COM expiration=Tue May 27 03:52:10 2014 flags=40600000 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: TGT expires:1401155530 CC count:0 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: Initialized UCC:testuser@DOMAIN.COM@DOMAIN.COM, lifetime:36000 kcc:0x9054ae8 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: UCCmap.size = 1, UCClist.size = 1 May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: testuser@DOMAIN.COM server: HTTP/exmbx01.domain.com@DOMAIN.COM - trying to fetch May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for user: testuser@DOMAIN.COM - trying to fetch May 26 17:52:10 F5BIGIP03 err websso.1[13873]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user testuser@DOMAIN.COM - Server not found in Kerberos database (-1765328377) May 26 17:52:10 F5BIGIP03 err websso.1[13873]: 014d0024:3: 1c8813d7: Kerberos: Failed to get ticket for user testuser@DOMAIN.COM I suppose that I have committed some really simple error. Can anyone give me a hint where I have to look? Thank you! Regards, AlexKerberos SSO without webtop
Dear Fellows, Is it possible to have a irule for kerberos SSO without webtop similar to SAML SSO without webtop. Do you have an example: SAML SSO without webtop: when ACCESS_POLICY_COMPLETED { switch -glob [ACCESS::session data get session.server.landinguri] { "/mycloudapp*" { ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res?id=/Common/MYCLOUDAPP" } "/proofpoint*" { ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res?id=/Common/PROOFPOINT" } "/businessolver*" { ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res?id=/Common/BUSINESSOLVER" } }
Kerberos AAA login pop-up issue
Folks, Before posting this question I went through a bunch of posts/articles to fix my issue. Unfortunately, I had to post this anyway to find help to fix my issue! Here we go! I have a Virtual server (companyA.example.com:443) An access policy with a 401 response agent followed by Kerberos Auth agent is assigned to the VIP. Users are in domain (inside.corp) AD setup: A service account is setup on AD server (f5-service-account) Keytab: c:>ktpass -princ HTTP/companyA.example.com@INSIDE.CORP -mapuser f5-service-account@INSIDE.CORP -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass somepassword -out c:\temp\krb-sso.keytab SPN setspn -U -A HTTP/companyA.example.com f5-service-account F5 setup The keytab file is uploaded under Access->AAA->kerberos & auth realm INSIDE.CORP is used. When tested with APM in debug mode, I found below error in the logs modules/Authentication/Kerberos/KerberosAuthModule.cpp func: "display_status_1()" line: 91 Msg: 8efe1717 : GSS-API error gss_accept_sec_context: d0000 : Unspecified GSS failure. Minor code may provide more information From Client side, SSO doesn't work and getting a browser pop-up where i can input the credentials. Entering the creds doesn't work either. APM VPE: Any help is greatly appreciated! Thanks in advance!
Problems with using Kerberos Authentication
Hi Everyone, Trying to get Kerberos Authentication to work through a APM policy. I am not trying to get SSO to work (well, not yet anyway) - just trying to get Kerberos authentication from a domain attached Windows 7 client. Have followed the documents and created a service account with appropriate settings and imported a keytab file. There is a 'HTTP 401 Response' and a 'Kerberos Auth' step in my pipeline, but it just falls straight through to 'fallback' and denies access. In the APM logs I see: Nov 7 09:48:55 auhof51 debug apd[6907]: 01490000:7: modules/Authentication/Kerberos/KerberosAuthModule.cpp func: "display_status_1()" line: 84 Msg: 850bee9c : GSS-API error gss_acquire_cred: d0000 : Unspecified GSS failure. Minor code may provide more information Nov 7 09:48:55 auhof51 debug apd[6907]: 01490000:7: modules/Authentication/Kerberos/KerberosAuthModule.cpp func: "display_status_1()" line: 84 Msg: 850bee9c : GSS-API error gss_acquire_cred: 186a4 : Is there any way to work out what the GSS-API error number 186a4 might mean? Thanks, Jason
