Forum Discussion

M0d3u52014_1653's avatar
M0d3u52014_1653
Icon for Nimbostratus rankNimbostratus
Apr 17, 2015

Need help with kerberos delegation

So whoever didn't run when you saw the word kerberos, thank you. I am using the instructions located here to set up kerberos delegation: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementation/sol_kerberos_delegation.html

 

I've added my domain to the F5. My problem is, I don't understand how I am supposed to add the F5 virtual servers to my domain. This is the line they give you:

 

domaintool --join --admin_principal --host

 

What I don't understand is the --host portion. It says to use the FQDN of the virtual server you want to add...well, that doesn't exist in any context according to my domain...so all I get is a cannot lookup hostname error. My DNS resolves forward and backward, but what I don't understand is what object is it looking for?

 

I have added the SPNs for the back end resources to the user account I created for kerberos delegation...but how do I connect the virtual servers to my domain? Do I have to create AD user accounts for them first? what should I be putting in that --host ? What's the syntax? Could someone provide an example or maybe shine some light on this? I would greatly appreciate it. Thank you.

 

4 Replies

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus

    Are you on 10.x version? Just wondering if you are looking at the rite doc.

     

  • I am on 11.4.1. I never even thought of it as version specific. Is this something I should maybe be doing with APM instead? The domain is functional 2008 R2 level if that matters.

     

  • Ok I have switched to the document for my version. Still confused as to how the virtual server gets onto the domain. It says:

     

    In the Client Principal Name field, type the name of the client principal, using the format HTTP/[name], where name is the name of the virtual server you created to use here

     

    Ok, fair enough...but how does my windows domain know what this virtual server is? It is an object that exists on the F5...there is no user associated with it on the domain to attach service principles to. Where is the connection? There is something fundamental about this I am not getting.

     

    I followed the configuration document to the letter and the site stopped responding altogether.

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus

    Better to follow this soln. https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-4-0/4.html

     

    The steps to create delegation account

     

     

    https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-4-0/4.htmlunique_716053090

     

    There is no reference to Virtual server created on APM. When APM connects to the back end server IP address, it uses the PTR record to find the corresponding SPN. This is provided you leave 'SPN Pattern' under kerberos SSO screen empty

     

     

    You can enable debug for sso, cli using

     

    tmsh modify sys db log.sso.level value debug

     

    Let us know how it goes..