Hi folks, we're experimenting with replacing our ISA servers with our Big IPs but we'ee running into issues with the way it does Kerberos SSO.
In a scenario where we're doing Kerberos SSO, there comes a time when the Big IP needs to specify a SPN to use when contacting the remote host where we're directing traffic. From what we can read in F5's documentation and from what we've observed in the field, the SPN is dynamically generated from the reverse DNS lookup performed on the IP of the destination.
The problem with this approach is that say I have a web site http://www.mysite.mycompany.com and that site runs under the domain account ServiceAccount@mycompany.com and the spn http/mysite.mycompany.com is set on the domain account. That site is hosted on host host1.mycompany.com. Then the big IP will take the IP of host1.mycompany.com and try to fetch a ticket with a SPN of http/host1.mycompany.com which of course is not a valid SPN in our scenario. And what happens in a load balanced scenario where I have host1 and host2 in a farm configuration...
We know (through successful testing) that the SPN pattern field in the SSO profile is there to adress that issue but this will "lock" the SSO profile to that URL hence leaving me with the not no elegant solution of having one SSO profile per URL. I'd really like to avoid that.
We could fool around with in-addr.arpa and change the reverse lookup for that host to resolve to mysite.mycompany.com but that doesn't scale at all and it breaks down if host1.mycompany.com has multiple web sites running on it.
I've read that 11.6 boast a "new" feature where you can have a dynamic pool member where you can type a FQDN instead of the IP adress, we're presently running 11.4 but if we upgrade, is the SPN generation still the same (using reverdns on the ip)? One would think that if you go through the "trouble" of specifying a FQDN as a pool member then should you not use that name as the SPN?
I'm guessing we could also work this issue on the Active Directory side of things making it so that the "wrong" SPN hands up resolving to something valid... maybe by setting a HOST spn and then delegate that to the Domain account SPN, But I fear we'll quickly run into unique name constraints on the Kerberos side of things.
So what are our options here, has anybody dealt with this? It seems pretty basic of a problem but our limited experience with the Big IP is preventing us from seeing the solution here!
Thanks in advance for all your help and sorry for long read :)
Just working from memory here but if you set host entries on bigip for each of the members in your pool which resolve back 'mysite.mycompany.com' will that not make bigip perform the require successfully?
So if you had three servers, 10.0.0.1-3 then on bigip you would make three host entries for mysite.mycompany.com which would resolve to each of those ips. Then once bigip does the reverse lookup on those ips it would always return mysite.mycompany.com
Thanks for the info, in fact I think we'll stay away from the host file idea since it'll be a nightmare to manage in our case with so many URL to publish and multiple big IPs.
BUT this leads me to a gem I found on this forum and EVERYONE should know about this because it saved the day for us.
It turns out that the SPN pattern field supports wildcards, see post here big thanks to Kevin!!
So in our case we used the spn pattern firstname.lastname@example.org
the %h is the magic since it'll take the host name from the requested host header!! This needs to be better documented it's so great!
This bypasses the reverseDNS lookup and it allows a fully dynamic sso profile that we can reuse for all our published URLs!!
Thanks for the %h thrick!
I'm looking for the same thing with a 401 response kerberos referencing a kerberos AAA server. There is a service name box but it only takes the service name HTTP. I have to put the hostname of my site = ip address of the one of the pool members in the hosts file for the auth to work. I have several servers serving the website.