Forum Discussion

JoeTheFifth's avatar
JoeTheFifth
Icon for Altostratus rankAltostratus
Oct 08, 2018

Grab username/domain from a kerberos ticket header

Is there a way to get the username/domain from a kerberos ticket without having a ressource (web site) server side. In other words: I have an IDP and I'm getting a saml request from an external SP. I need to grab the email address for AD account to send back in the saml response. I don't want to use a logon page for internal users. I know you can use the 401 response policy flow to see username/domain in the session info but I don't have any web site or ressource to do the AAA kerberos auth. I am looking for something like the NTLM Authentication SSO where you create a computer in AD and call the ECA profile and either get the variables from ECA::username ECA::domainname or decode the NTLM messages (type 3 is the one with the username/domain info). I'm going to do some tests but thought to ask here first so I don't re-invent the wheel :-)

 

APM
application delivery
BIG-IP

3 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 08, 2018

    but I don't have any web site or ressource to do the AAA kerberos auth

     

    You don't need any web site or resource to do Kerberos AAA. APM client side Kerberos is constrained to APM itself and has no reliance on backend servers. If you can properly authenticate a browser with Kerberos AAA, using a very basic 401 and Kerberos auth agent in the VPE, the username and domain will be available in the session.logon.last.username as user@REALM.

     

  • JoeTheFifth's avatar
    JoeTheFifth
    Icon for Altostratus rankAltostratus
    Oct 08, 2018

    Ok got it ! The two kerberos AAA configuration support pages should really be modified to be more precise and more to the point. They talk about application and and a hostname for the virual server and all !!! really ! I haven't played with keytabs before but coming from KCD setup it just looked confusing whereas all it is about is making apm act like an iis site configured for kerberos. I will update with simpler details/steps when I have time tomorrow.