Mix NTLMv2 & Kerberos SSO in the same policy for different sub-URL
Hello ! I got a special request and couldn't find a solution on how to address this... e.g. Following URL is secured by an APM policy using NTLMv2 as SSO (based on AD Auth) https://acme.domain.com/url Following subURL is requesting KERBEROS https://acme.domain.com/url/suburl For the moment the user need to authenticate 2x. The 2nd time through a Microsoft Popup. With one of the main Issues being: if I logout and login again with a different user, there is no login requested for the kerberos part and the 1st user remains connected. Any idea how I could solve this situation BR S.
Kerberos AAA login pop-up issue
Folks, Before posting this question I went through a bunch of posts/articles to fix my issue. Unfortunately, I had to post this anyway to find help to fix my issue! Here we go! I have a Virtual server (companyA.example.com:443) An access policy with a 401 response agent followed by Kerberos Auth agent is assigned to the VIP. Users are in domain (inside.corp) AD setup: A service account is setup on AD server (f5-service-account) Keytab: c:>ktpass -princ HTTP/companyA.example.com@INSIDE.CORP -mapuser f5-service-account@INSIDE.CORP -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass somepassword -out c:\temp\krb-sso.keytab SPN setspn -U -A HTTP/companyA.example.com f5-service-account F5 setup The keytab file is uploaded under Access->AAA->kerberos & auth realm INSIDE.CORP is used. When tested with APM in debug mode, I found below error in the logs modules/Authentication/Kerberos/KerberosAuthModule.cpp func: "display_status_1()" line: 91 Msg: 8efe1717 : GSS-API error gss_accept_sec_context: d0000 : Unspecified GSS failure. Minor code may provide more information From Client side, SSO doesn't work and getting a browser pop-up where i can input the credentials. Entering the creds doesn't work either. APM VPE: Any help is greatly appreciated! Thanks in advance!
F5 APM Kerberos SSO error log
Dear All, I have an APM Kerberos (delegation) SSO configured for my sharepoint application, with Radius Auth as the primary authentication. Though everything is working fine as expected, I get the below APM logs: Mar 9 19:41:08 slot1/Datacenter-SF-Sec notice tmm1[27422]: 01490521:5: /Common/OTP:Common:65297ecb: Session statistics - bytes in: 0, bytes out: 0 Mar 9 19:41:09 slot1/Datacenter-SF-Sec warning tmm1[27422]: 01490531:4: fcf9d73f: Detected invalid host header (). Mar 9 19:41:09 slot1/Datacenter-SF-Sec notice tmm1[27422]: 01490567:5: /Common/OTP:Common:fcf9d73f: Session deleted (no_hostname). Mar 9 19:41:09 slot1/Datacenter-SF-Sec warning tmm1[27422]: 01490531:4: 52959b6e: Detected invalid host header (). Mar 9 19:41:09 slot1/Datacenter-SF-Sec notice tmm1[27422]: 01490567:5: /Common/OTP:Common:52959b6e: Session deleted (no_hostname). Mar 9 19:41:14 slot1/Datacenter-SF-Sec warning tmm[27422]: 01490531:4: 18085054: Detected invalid host header (). Mar 9 19:41:14 slot1/Datacenter-SF-Sec notice tmm[27422]: 01490567:5: /Common/OTP:Common:18085054: Session deleted (no_hostname). Mar 9 19:41:14 slot1/Datacenter-SF-Sec warning tmm[27422]: 01490531:4: 087dd709: Detected invalid host header (). Mar 9 19:41:14 slot1/Datacenter-SF-Sec notice tmm[27422]: 01490567:5: /Common/OTP:Common:087dd709: Session deleted (no_hostname). Mar 9 19:41:14 slot1/Datacenter-SF-Sec notice tmm[27422]: 01490521:5: /Common/OTP:Common:86aec73e: Session statistics - bytes in: 0, bytes out: 0 Mar 9 19:41:15 slot1/Datacenter-SF-Sec notice tmm1[27422]: 01490521:5: /Common/OTP:Common:88965610: Session statistics - bytes in: 0, bytes out: 0 Mar 9 19:41:15 slot1/Datacenter-SF-Sec notice tmm[27422]: 01490521:5: /Common/OTP:Common:704c5724: Session statistics - bytes in: 0, bytes out: 0 Mar 9 19:41:19 slot1/Datacenter-SF-Sec warning tmm[27422]: 01490531:4: 75bfc35b: Detected invalid host header (). Mar 9 19:41:19 slot1/Datacenter-SF-Sec notice tmm[27422]: 01490567:5: /Common/OTP:Common:75bfc35b: Session deleted (no_hostname). Mar 9 19:41:19 slot1/Datacenter-SF-Sec warning tmm[27422]: 01490531:4: 46da5465: Detected invalid host header (). Mar 9 19:41:19 slot1/Datacenter-SF-Sec notice tmm[27422]: 01490567:5: /Common/OTP:Common:46da5465: Session deleted (no_hostname). Mar 9 19:41:22 slot1/Datacenter-SF-Sec notice tmm[27422]: 01490521:5: /Common/OTP:Common:54976d9f: Session statistics - bytes in: 0, bytes out: 0 What is the issue?
APM "Remote Desktop Web Access" Kerberos SSO option
Currently working with a customer who is very interested in APM's Remote Desktop Web Access feature. MFA is strictly enforced in this environment so username and passwords are a no go, so NTLM is out. But within the Remote Desktop Web Access object definition, there is a "Kerberos SSO Configuration" option where you can select a predefined Kerberos SSO profile. Through contextual clues, I assumed that this would be to setup a Kerberos Constrained Delegation scenario. Mostly geared towards environments where passwords are not an option. In setting this up.. I have confirmed that the Windows server hosting the RemoteApp Web portal has been setup to accept Windows Integrated authentication along with assigning the appropriate SPNs to the Computer Object in AD. I have validated that kerberos authentication works going directly to the RemoteApp web portal (bypassed forms page, saw the security event of the kerberos logon within windows security events, etc etc). I have setup the delegation account in AD for the kerberos SSO profile and have verified that it has the appropriate permissions and delegated spns. After all of this I still receive the logon box from Webtop requiring a username, password and domain. I haven't found any documentation on this particular option in APM, "Remote Desktop Web Access". So my question is, Can a KCD setup be done with this APM feature and is this particular Kerberos SSO drop down used in this setup? If it can not be done, what does this Kerberos SSO drop down menu do? Thanks any and all who can share their wisdom!
