Kerberos Authentication with End-User Logons KeyTab files

Question

Greetings,When configuring APM for Kerberos Auth with End-User logons a keytab file must be generated and uploaded to the Big IP.  Does a keytab file need to be created for each application?  My first instinct is that it should indeed be created for each app.  Can anyone validate or invalidate that?  Thanks.&nbsp;

keesvandenbos · Answer

You can add multiple principal's to the same keytab file.

Or you could have one SAML IdP virtual server with Kerberos Auth and all you app's behind SAML SP virtual servers. You would only need a keytab file for the IdP Virtual server and you can add as many SP virtual servers as needed (so there is no need to create a new keytab or modify the keytab fill if you add extra applications that need authentication.

Cheers,

Kees

angel_montero · Answer

Thanks, I appreciate the response. Multiple principals to the same keytab is music to my ears. In addition, I will be moving to the SAML IDP eventually. However, that is a bit down the road.

Angel

Forum Discussion

Kerberos Authentication with End-User Logons KeyTab files

2 Replies

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

DEVCENTRAL END-USER LICENSE AGREEMENT

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Transparent Kerberos Authentication and APM fallback authentication

Customizing APM end user login page with APM Advanced Customization Templates

Doing mTLS Authentication per URL