Kerberos Authenication cross multiple domains

Question

Hi there,&nbsp;
I'm having a hard time getting kerberos to work a cross multiple domains (two way trust)
Version of APM 11.5&nbsp;
Within a domain Kerberos Authentication works fine but when I attempt to access resource from another domain it's failing&nbsp;
My setup is something like this&nbsp;
trusteddomain.local
untrusteddomain.local&nbsp;
SPN and all kerberos setting were created in unstrusted domain&nbsp;
I did the following steps to implement it (maybe it will help somebody else as well)&nbsp;
On the untrusted domain&nbsp;
setspn -U -A HTTP/internal.something.org f5kerberos 
ktpass -princ HTTP/internal.something.org@UNTRUSTEDDOMAIN.LOCAL -mapuser f5kerberos@UNTRUSTEDDOMAIN.LOCAL -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass supersecret -out C:\f5kerberos&nbsp;
On F5&nbsp;
AAA Server&nbsp;
Auth Realm: UNTRUSTEDDOMAIN.LOCAL
Service name: HTTP
Principal:  HTTP/internal.something.org@UNTRUSTEDDOMAIN.LOCAL&nbsp;
SSO Config&nbsp;
Kerberos Realm: UNTRUSTEDDOMAIN.LOCAL
Account name: f5kerberos
Account password supersecret&nbsp;
Access policy&nbsp;
HTTP 401 response&nbsp;
basic+negotiate&nbsp;
Basic Auth Realm: MHPSHP.LOCAL&nbsp;
On negotiate - kerberos - sso - allow&nbsp;
Evertyhing works fine from untrusteddomain but doesn't work from trusteddomain.&nbsp;
I tried implementing NTLM Auth and it was failing as well. My main point is to get seamless authentication for the user and the use form based sso to login to some other web apps&nbsp;

matt_dierick · Answer

Hi, I don't know if my doc can help you.
I did a lab with 2 forests, 2 domains. One domain for users and one domain for ressources.&nbsp;
https://app.box.com/s/4r4jbaki06m3vnyhv5nx&nbsp;
Hope this help.&nbsp;

drugovm_149811 · Answer

Thank you. I went over document and I see that in the access policy you are not calling kerberos authentication for seamless login. You are using form for user credentials that then passing over to KDC to get the ticket and then passing over to sso&nbsp;
This kind of setup works in my setup but my main point is to implement seamless login for the end users and be able to manipulate user credentials&nbsp;

davo_t_20783 · Answer

Looks like you have found limitation for constrained delegation in cross forest trust:&nbsp;
See Microsoft DS team answer in this post: &nbsp;
http://social.technet.microsoft.com/Forums/en-US/f47b10c6-f546-49b4-9bff-4ef534297675/crossforest-kerberos-authentication-delegation-of-client-credentials?forum=winserverDS&nbsp;

drugovm_149811 · Answer

I'm scratching Kerberos all together. Sharepoint is already setup to accept ntlm from second domain&nbsp;

Forum Discussion

Kerberos Authenication cross multiple domains

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

F5 Distributed Cloud – Multiple custom certificates for HTTP/TCP LB

Multiple Kubernetes Clusters and Path-Based Routing with F5 Distributed Cloud

Kerberos is Easy - Part 2

Kerberos Is Easy - Part 1