APM "Remote Desktop Web Access" Kerberos SSO option
Currently working with a customer who is very interested in APM's Remote Desktop Web Access feature. MFA is strictly enforced in this environment so username and passwords are a no go, so NTLM is out. But within the Remote Desktop Web Access object definition, there is a "Kerberos SSO Configuration" option where you can select a predefined Kerberos SSO profile. Through contextual clues, I assumed that this would be to setup a Kerberos Constrained Delegation scenario. Mostly geared towards environments where passwords are not an option. In setting this up.. I have confirmed that the Windows server hosting the RemoteApp Web portal has been setup to accept Windows Integrated authentication along with assigning the appropriate SPNs to the Computer Object in AD. I have validated that kerberos authentication works going directly to the RemoteApp web portal (bypassed forms page, saw the security event of the kerberos logon within windows security events, etc etc). I have setup the delegation account in AD for the kerberos SSO profile and have verified that it has the appropriate permissions and delegated spns. After all of this I still receive the logon box from Webtop requiring a username, password and domain. I haven't found any documentation on this particular option in APM, "Remote Desktop Web Access". So my question is, Can a KCD setup be done with this APM feature and is this particular Kerberos SSO drop down used in this setup? If it can not be done, what does this Kerberos SSO drop down menu do? Thanks any and all who can share their wisdom!
SSO Using Kerberos Contrained Delegation for Multiple Domains
We are utilizing a SSO Kerberos Configuration to access a few of our applications in our domain (Domain1). Domain1 is a child domain and is configured as the Kerberos Realm in the SSO Kerberos configuration. The account name used in the configuration is also a member of Domain1. This is working for Domain1 clients with no issues. We want to give a different child domain (Domain2) access to these applications. Domain2 is in the same forest as Domain1 and has two way trust. The F5 can reach both domains and resolve in DNS. Clients from Domain2 are not able to get a Kerberos ticket. The following errors show in the APM log. Kerberos: Failed to get ticket for user test@Domain2.com and failure occurred when processing the work item Is it even possible to have clients from another child domain get a ticket using an F5 in another domain? Also, is there any way to get more detailed logs on why Domain2 cannot get Keberos ticket. I have the log level set to debug set for Access Policy and SSO.
Can the LTM SSL client certificate LDAP authentication module be configured to do protocol transition and Kerberos constrained delegation?
Can the LTM SSL client certificate LDAP authentication module be configured to do protocol transition and Kerberos constrained delegation if the LDAP server is an Active Directory Domain Controller? If not, can an iRule be used to do protocol transition and Kerberos constrained delegation after the LTM SSL client certificate LDAP authentication module has successfully authenticated and authorized the user? If not, can the tmsh command create kerberos-delegation be used in a way such that protocol transition and Kerberos constrained delegation is done after the LTM SSL client certificate LDAP authentication module has successfully authenticated and authorized the user? If not, is using APM the only way to do protocol transition and Kerberos constrained delegation of a user authenticating using client certificate authentication with Active Directory?
