Forum Discussion

morrie_63651's avatar
morrie_63651
Icon for Nimbostratus rankNimbostratus
Oct 11, 2007

kerberos

I am planning to use my new F5 LTM to load balance a number of components that are protected by Microsoft Active Directory - Kerberos. I am being told that the F5 device must join the Kerberos domain. Can you tell me how this is accomplished?

 

Thanks,

 

--morrie

 

  • Hi,

     

     

    Regarding this part of the conversation (*)....... I have a similar problem perfoming single sign on authentication using Kerberos, the task it supposed to be perfomed by the vpnssl device and then go to the F5 LTM and the to then web server (wich is running a .NET based application) ...... my question is pretty much related to the part where the SPN is created in my DC server for the application. Wich account or computer-name should be used in the command.

     

     

    (*)

     

    Firstly map the virtual IP to a dns name in your internal DNS server. Then create an SPN for this dns name and with the userid being used to configure kerberos.

     

    For ex. if you are using an id - xyz for configuring BO SSO, and the dns name is bovirtual.addomain.com

     

    Then the SPN will be -

     

    setspn -A HTTP/bovirtual.addomain.com xyz

     

    Let me know how it goes.

     

     

    Regads,

     

    Ravi
  • When you say "create an SPN for this dns name and with the userid being used to configure kerberos" which userid are you referring too? In our environment we have four servers which are load balanced. Kerberos based SSO is working on each individual server but is failing when going through the virtual ip. We have an AD user which corresponds to each physical machine. I believe the setspn command was then run for each of these users specifying the corresponding dns name of that server.

     

     

    Does that mean we should then create another AD user to represent the load balancer and run setspn specifying the virtual ip and the AD user we set up? Do you know if this AD user would have to be marked as an eligible delegate?
  • Hello,

     

    I setup my middle tier service for delegation to a backend service and I've used a source address affinity persistence profile to keep kerberos happy.

     

     

    The middletier service run's under account middletierserviceacct and the backend service under account backendserviceacct.

     

     

    The middletierserverservice.fqdn and backendserverservice.fqdn DNS entries resolve to the virtual servers on our LTM.

     

     

     

    setspn -l middletierserviceacct

     

    HTTP/middletierserverservice.fqdn

     

    HTTP/middletierserverservice

     

     

    setspn -l backendserviceacct

     

    HTTP/backendserverservice

     

    HTTP/backendserverservice.fqdn

     

     

    Hope this clears things up
  • We are using F5 to load balance a wss 3.0 with kerberos authentication. Do you know necessary steps to expose the web site using f5 (witout moving kerberos settings) to our internal users that are outside the domain?. I see on another article that now F5 support this
  • Posted By RyanLRoy on 12/10/2009 12:34 AM

     

     

    When you say "create an SPN for this dns name and with the userid being used to configure kerberos" which userid are you referring too? In our environment we have four servers which are load balanced. Kerberos based SSO is working on each individual server but is failing when going through the virtual ip. We have an AD user which corresponds to each physical machine. I believe the setspn command was then run for each of these users specifying the corresponding dns name of that server.

     

     

    Does that mean we should then create another AD user to represent the load balancer and run setspn specifying the virtual ip and the AD user we set up? Do you know if this AD user would have to be marked as an eligible delegate?

     

     

     

     

    It depends what you are trying to accomplish here: IF you do not need the LTM to act as an SSO gateway for connecting to multiple different services and applications (web sites), then you could leave the load-balancing in a passive state where it will not impact the authentication to the servers. To do that, you would run all of your IIS services for this given site with the same user ID and configure an SPN on the service account to match the DNS name of the site. That way, the client would get a Kerberos ticket that would be valid on any of the four web servers for that site, regardless of the LTM's choice of servers to point them to at the time.

     

     

    If you want the LTM to handle Kerberos delegated connections, for Internet portal situations for instance, then you would need to configure the LTM as a Kerberos realm member for AD and provide user session and kerberos proxy cababilities from there, though I am not sure of the process for that. IT is my understanding that it does allow for this, though I assume you host a forms-based authentication page behind the LTM to handle the initial authentication, and then the LTM performs the Kerberos protocol transition and then acts as the user session for the session when connecting to the sites behind it. This is necessary when users are outside the network and unable to get a Kerberos ticket and similar scenarios.

     

     

    I am trying to figure that one out now, but have not seen any guidance on it so far. I know the AD/Kerberos side.

     

  • Hi,

     

     

    Has anyone tried to implement Kerberos delegation using the default irule associated to the Kerberos profile?

     

     

    The F5 doesn't seem to handle the user credentials provided by the browser:

     

     

    Mar 15 16:27:24 DOULBF6-RC tamd: pam_krbdelegate(mod_auth_kerb): gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (No such file or directory)

     

    Mar 15 16:27:24 DOULBF6-RC tamd: pam_krbdelegate(mod_auth_kerb): Failure to extract credentials from client. Denying user.

     

     

    Thanks in advance for your help.

     

     

     

  • We have used the domaintool command on the load balancer to create the spn for the virtual IP and created an AD Computer object with the same name as the virtual IP. We are still getting 401 errors from IE 8.

     

     

    We are using IIS 7.0 with the service account "network" in the default application pool. Do we need to use a service account and create an spn to make this work?