Setting up Kerberos Constrained Delegation

Question

Hello,&nbsp;
I have been trying to get kerberos authentication to work from a domain joined computer to a windows IIS server and seem to be stuck.  I have tried many things from a bunch of different post on devcentral but don't seem to be getting any closer.  I was hoping I could post more of my specifics and see if someone could point out what I am missing.  Keep in mind if I go directly to the web server I have confirmed that kerberos authentication is the method being used and is successful until I go through the F5.  I am running version 11.6.1.&nbsp;
I believe that the main issue is because of the difference of our host name lab.cityoftest.org and our kerberos realm of DOMAIN.LCL.  Since we want to use our wildcard cert for our public domain of *.cityoftest.org but all user names are using a user@DOMAIN.LCL I am not sure how to configure the internal dns A and PTR records to accommodate this scenario.&nbsp;
Here are my settings at this point as they may help better explain what I am trying to do.  
&nbsp;
Thank you for your time and help in advance!&nbsp;

AD delegate account &nbsp;
userPrincipleName: host/lab.cityoftest.org@DOMAIN.LCL&nbsp;
SPN: host/lab.cityoftest.org&nbsp;
Delegation Tab:&nbsp;
Trust this user for delegation to a specified services only, Use any authentication protocol&nbsp;
http     IISServer.domain.lcl&nbsp;

Kerberos AAA Server config&nbsp;
Auth Realm: DOMAIN.LCL&nbsp;
Service Name: host&nbsp;
Keytab file details:  
&nbsp;
Principle = host/lab.cityoftest.org@DOMAIN.LCL&nbsp;
Encryption: arcfour-hmac&nbsp;

Access Policy

Kerberos Auth Pointed at Kerberos AAA Server created above&nbsp;
AD Query has search filter: userPrincipalName=%{session.logon.last.username}&nbsp;

SSO Config &nbsp;
Method: Kerberos&nbsp;
Username Source: session.ad.last.attr.sAMAccountName&nbsp;
User Realm Source: session.logon.last.domain&nbsp;
Kerberos Realm: DOMAIN.LCL&nbsp;
KDC: (IP of one of the domain controllers)&nbsp;
Account Name: host/lab.cityoftest.org&nbsp;

APM Error
2017-04-17 15:27:52       metadata len 391&nbsp;
2017-04-17 15:27:52       \N: Could not find SSO domain, check variable assign agent setting&nbsp;
2017-04-17 15:27:52       Websso Kerberos authentication for user 'John' using config 
                        '/Common/WebApplication_2'        
&nbsp;
2017-04-17 15:27:52       \N: adding item to WorkQueue &nbsp;
2017-04-17 15:27:52       sid: ctx:0x59b1aff0 server address = ::ffff:10.10.10.1&nbsp;
2017-04-17 15:27:52       sid: ctx:0x59b1aff0 SPN = HTTP/IISServer.domain.lcl@DOMAIN.LCL          
&nbsp;
2017-04-17 15:27:52       Kerberos: realm for user John is not set, using server's realm DOMAIN.LCL            
&nbsp;
2017-04-17 15:27:52       S4U ======&gt; ctx: , sid: 0x59b1aff0, user: John@DOMAIN.LCL, SPN:                         &nbsp;
                        HTTP/IISServer.domain.lcl@DOMAIN.LCL   
&nbsp;
2017-04-17 15:27:52       Kerberos: Failed to get ticket for user John@DOMAIN.LCL             
&nbsp;
2017-04-17 15:27:52       \N: failure occurred when processing the work item&nbsp;

stanislas_piro2 · Answer

Hi,
What do you want to configure? Kerberos authentication, Kerberos Contrained Delegation (SSO) or both?
to configure Kerberos auth, I use following powershell commands:
New-ADUser -Name "APM Kerberos Authentication Account" -UserPrincipalName svc_f5_krb_auth@demo.local -SamAccountName "svc_f5_krb_auth" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)
Set-AdUser -Identity svc_f5_krb_auth -ServicePrincipalNames @{Add="host/app1-ext.demo.local"}
ktpass -princ HTTP/app1.demo.local@demo.local -mapuser svc_f5_krb_auth@demo.local -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass P@ssw0rd -out c:\Shared\svc_f5_krb_authv.keytab

to configure Kerberos SSO, I use following powershell commands:
New-ADUser -Name "APM Delegation Account" -UserPrincipalName svc_f5_krb@demo.local -SamAccountName "svc_f5_krb" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)
Set-AdUser -Identity svc_f5_krb -ServicePrincipalNames @{Add="host/svc_f5_krb.demo.local"} 
Get-AdUser -Identity svc_f5_krb | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="http/app1.demo.local"} 
Set-ADAccountControl -Identity svc_f5_krb -TrustedForDelegation $false
Set-ADAccountControl -Identity svc_f5_krb -TrustedToAuthForDelegation $true

then, I create kerberos SSO in APM:
create apm sso kerberos SSO_KRB_machine { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.245.250 realm DEMO.LOCAL user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }

to make Kerberos SSO working, you must assign 2 variables:

domain (must be user realm = domain FQDN)
session.logon.last.domain (default value)session.krbsso.last.domain (in my kerberos SSO configuration)

username (must be user sAMAccountName)
session.logon.last.username (default value)session.krbsso.last.username (in my kerberos SSO configuration)

Forum Discussion

Setting up Kerberos Constrained Delegation

1 Reply

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

Configuring Smart Card Authentication and Kerberos Constrained Delegation in F5 Access Policy Manager (APM)

SSL Orchestrator Advanced Use Cases: Client Certificate Constrained Delegation (C3D) Support

Single-Sign-On mit Kerberos Constrained Delegation

SSO par Kerberos Constrained Delegation sur APM - Best Practices