Forum Discussion

Tayyab__Fayyaz_'s avatar
Tayyab__Fayyaz_
Icon for Nimbostratus rankNimbostratus
Jun 10, 2018

Configuration Kerberos SSO With F5 for Weblogic

Hi All,

 

We have a architecture like, cluster enabled weblogic server with F5 load balancer. We have enabled the Kerberos SSO for node 1 and node 2 and it is working perfectly fine. We need to have this load balancer configured for the SSO as the users would be using a load balancer URL. could you please share some docs/notes to have this enabled.

 

node1.com --> working for SSO node2.com --> working for SSO

 

load balancer URL like

 

fusiontest.com --> need to configure this for the SSO, where users will be logging in using fusiontest.com and then getting diverted to any of the nodes like node1.com or node2.com depending on the load on the server.

 

Thanks in advance.

 

2 Replies

  • Hi,

     

    The best practice, is that your node (node 1 and node 2) have the same account service with the same SPN that will be your application name (fusiontest.com).

     

    Then create a unique kerberos sso with a unique SPN --> fusiontest.com

     

    You ca do it?

     

    Regards

     

  • Hi,

     

    here is the browser behavior with kerberos authentication (from my understanding, I did not find the exact SPN discover mechanism over Internet)

     

    1. Unauthenticated user requests protected resource (https://www.company.com)
    2. browser requests kerberos ticket for SPN http/ (always http even if the service is listening on a https port)
      • If KDC provides a token, go to 5
    3. browser requests DNS server for Reverse DNS of the destination server IP (srv1.company.local)
    4. browser requests kerberos ticket for SPN http/srv1.company.local
    5. browser includes the kerberos ticket in every requests to backend server
    6. Application server decrypt the ticket to handle authorization based on the account password the SPN belong to.

    In such configuration :

     

    • If the server is configured to decrypt with machine account, the expected SPN MAY be reverse DNS
    • If the server is configured to decrypt with Application account (service defined to execute service) , the expected SPN MAY be the SPN extracted from URL requested by the client

    destination server IP is the F5 virtual server IP address in your configuration.

     

    So you have to

     

    • check how the application is configured to decrypt kerberos ticket (machine account or service account)
    • check DNS PTR of node1 and node2:
      • Is it the same and is there SPN for this hostname? ? If yes, create a new PTR with same answer for the virtual server address.
      • else, is there SPN for these hostnames? ? If yes, the expected kerberos ticket may be based on reverse lookup --> you have to change Weblogic configuration to use same SPN on both servers.

    F5 LTM doesn't change kerberos behavior when enabling kerberos, so there is no documentation about it from F5 as I know.