Kerberos double hop working with APM?

Hello Kay, is the link to the server a Webtop Link or something else?

Hey Kay, we use authentication-kerberos using a configured keytab file to accomplish this and add it to the rule as your authentication

Make sure to troubleshoot each half of a Kerberos setup separately. Is Kerberos AAA working in this case?

I had to dig up my notes on this as it has been a while, but essentially Kerberos SSO needs the following things first:

• successful sign-on to the target application inside the domain from other systems (target app SPN must already exist and be functional),
• working forward/reverse DNS on the BIG-IP (ie using Active Directory for DNS resolution),
• Connectivity to the KDC (looks like you have this),
• NTP must be functional.

In the Delegation tab for the F5 SSO user in AD, ensure that "Trust this user for delegation to specified services only; Use any authentication procotol" is selected.

In the service account for the target application, I found that I needed to set up a delegation to the app's own SPN records with the Delegation setting set to "Trust this user for delegation to specified services only; Use Kerberos only." The F5 SSO user and the target application user should be separate.

I'm not an expert on this stuff, but it has worked for us in the past and is still in production use.

A pretty good troubleshooting resource is here by Cody Green.

Microsoft has an in-depth description of the concepts here.

Hi, thanks for all the reply!

Now to the answers:

• Yes, we use the standard webtop link
• OK, we did not test the complete keytab Kerberos config yet
• Other Kerberos-Auth configs without double hop (in the same AD) do work without any problems

I will try the keytab stuff next...

Thank you again,

Kay

Hello Kay, so when say Webtop link I mean a specific type of object (those a direct links). That said SSO is not supported with Webtop Links.