Forum Discussion
Stanislas_Piro2
Jun 11, 2018Cumulonimbus
Hi,
here is the browser behavior with kerberos authentication (from my understanding, I did not find the exact SPN discover mechanism over Internet)
- Unauthenticated user requests protected resource (https://www.company.com)
-
browser requests kerberos ticket for SPN http/ (always http even if the service is listening on a https port)
- If KDC provides a token, go to 5
- browser requests DNS server for Reverse DNS of the destination server IP (srv1.company.local)
- browser requests kerberos ticket for SPN http/srv1.company.local
- browser includes the kerberos ticket in every requests to backend server
- Application server decrypt the ticket to handle authorization based on the account password the SPN belong to.
In such configuration :
- If the server is configured to decrypt with machine account, the expected SPN MAY be reverse DNS
- If the server is configured to decrypt with Application account (service defined to execute service) , the expected SPN MAY be the SPN extracted from URL requested by the client
destination server IP is the F5 virtual server IP address in your configuration.
So you have to
- check how the application is configured to decrypt kerberos ticket (machine account or service account)
-
check DNS PTR of node1 and node2:
- Is it the same and is there SPN for this hostname? ? If yes, create a new PTR with same answer for the virtual server address.
- else, is there SPN for these hostnames? ? If yes, the expected kerberos ticket may be based on reverse lookup --> you have to change Weblogic configuration to use same SPN on both servers.
F5 LTM doesn't change kerberos behavior when enabling kerberos, so there is no documentation about it from F5 as I know.