Forum Discussion

PK_294685's avatar
PK_294685
Icon for Nimbostratus rankNimbostratus
Feb 14, 2019

Can we use multiple 401 agents + Kerberos auth in APM?

Folks,

 

I have a requirement where users from two different domains (ex: domain1.local & domain2.local) need to authenticate with Kerberos.

 

Both domains are on two separate domain controllers respectively and users are dispersed over both domains (part of user migration).

 

So when a user tries to access resources behind the APM, I need user to go through 401 response followed with Kerberos Auth (domain1.local) and if it fails the user should fall back to another 401 response followed with domain2.local kerberos auth.

 

https://devcentral.f5.com/questions/kerberos-401-authentication-with-form-fallback

 

The above post only works when there is single negotiation happening. But in my case, there is negotiation and auth param for both authentications.

 

Below is my access policy, I believe i can make it work except when the initial kerberos auth fails (domain1.local), the browser pops-up for authentication. I do not want this to happen, instead fallback the user to next 401 + Kerberos authentication (domain2.local). Any ideas on how to achieve this?

 

 

Any help is appreciated! Thanks

 

APM
application delivery
BIG-IP
kerberos autentication
mutiple kerberos authentication

1 Reply

Sort By
  • P_K's avatar
    P_K
    Icon for Altostratus rankAltostratus
    Feb 14, 2019

    I don't know why but seems like I always find answers to my issues myself after I post them here first :)

     

    Anyway, Below are the steps I took to get Kerberos authentication working on both domains and preventing browser from login prompt.

     

    To fallback properly and avoid mutiple 401 requests, I had to change the VPE like below. At this point I was getting a login prompt when a user in domain2 tries 401 against domain1 controllers(Kerberos Auth-domain1) and fails. Clicking cancel on the prompt is successfully signing in the user(SSO) by authenticating using Kerberos-auth domain2.

     

     

    To prevent the login prompt, all I had to do was to change "max login attempts" to '1' on first kerberos agent i.e., Kerberos Auth-domain1.

     

     

    I figured since default attempts were 3 the browser is prompting the login as APM is trying to re-run the 401(at least I guess). After I made the change to '1', I stopped seeing login prompt and users in both domains are able to authenticate through one gateway.. yayy!

     

    Hope this helps someone out there or may trigger someone to suggest a better solution. Fingers crossed!

     

Related Content