Kerberos double hop working with APM?

MVP

Oct 10, 2019

Make sure to troubleshoot each half of a Kerberos setup separately. Is Kerberos AAA working in this case?

I had to dig up my notes on this as it has been a while, but essentially Kerberos SSO needs the following things first:

successful sign-on to the target application inside the domain from other systems (target app SPN must already exist and be functional),
working forward/reverse DNS on the BIG-IP (ie using Active Directory for DNS resolution),
Connectivity to the KDC (looks like you have this),
NTP must be functional.

In the Delegation tab for the F5 SSO user in AD, ensure that "Trust this user for delegation to specified services only; Use any authentication procotol" is selected.

In the service account for the target application, I found that I needed to set up a delegation to the app's own SPN records with the Delegation setting set to "Trust this user for delegation to specified services only; Use Kerberos only." The F5 SSO user and the target application user should be separate.

I'm not an expert on this stuff, but it has worked for us in the past and is still in production use.

A pretty good troubleshooting resource is here by Cody Green.

Microsoft has an in-depth description of the concepts here.

Forum Discussion

Kerberos double hop working with APM?

Recent Discussions

Find GSLB pool membership from vip IP

Pool Members communication with B-party via F5 VIP

Server 2 causing application slowness

F5Access | MacOS Sonoma

AS3 Deployments (shared objects)

Related Content

Stop Double Monitoring: NGINX Plus API Helping BIG-IP

Working with MasterKeys

Lightboard Lessons: Secure Coding and Tcl Double Substitution

Apache Struts Double OGNL Evaluation (S2-061 / CVE-2020-17530)

Forgotten Boa, Aurora botnet, Kerberos & Twitter - Nov 19th-25th - F5 SIRT - This Week in Security