Professional Documents
Culture Documents
Non-Diagnostic
Original Publication Date: Jan 03, 2019
Topic
Kerberos delegation is a Microsoft feature that allows an application to reuse end-user credentials to access resources hosted on
a different server. Kerberos constrained delegation is a form of specifying applications that are allowed to to reuse the user
credentials. A server is configured to pass along a client's identity and credentials to a secondary resource server, accessing a
resource or service on behalf of the client, while limiting the scope of where application services can act on the client's behalf.
For more information, refer to the Microsoft Kerberos Constrained Delegation Overview document.
Note: This link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.
The purpose of this article is to provide an overview of this service, how it relates to BIG-IP APM, and the places that are important
for verifying proper configuration.
Description
BIG-IP APM uses the Kerberos Service-for-User (S4U) extensions (MS-SFU) and MIT Kerberos Library with Protocol Transition
(non-Kerberos to Kerberos).
Note: S4U is the only supported protocol through BIG-IP APM. The Trust this user for delegation to any service setting is not
currently supported in BIG-IP APM.
Service tickets for users accessing BIG-IP APM display as S4U2Self and service tickets accessing applications display
as S4U2Proxy.
For example:
Nov 15 14:27:00 BIG-IP debug websso.1[27687]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for
user: user@EXAMPLE.COM server: HTTP/server.example.com@EXAMPLE.COM - trying to fetch
Nov 15 14:27:00 BIG-IP debug websso.1[27687]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for
user: user@EXAMPLE.COM - trying to fetch
Nov 15 14:27:00 BIG-IP debug websso.1[27687]: 014d0001:7: S4U ======> - fetched S4U2Self ticket for
user: user@EXAMPLE.COM
Nov 15 14:27:00 BIG-IP debug websso.1[27687]: 014d0001:7: S4U ======> trying to fetch S4U2Proxy ticket
for user: user@EXAMPLE.COM server: HTTP/server.example.com@EXAMPLE.COM
Nov 15 14:27:00 BIG-IP debug websso.1[27687]: 014d0001:7: S4U ======> fetched S4U2Proxy ticket for user:
user@EXAMPLE.COM server: HTTP/server.example.com@EXAMPLE.COM
Nov 15 14:27:00 BIG-IP debug websso.1[27687]: 014d0001:7: S4U ======> OK!
Delegation account
Important: When creating the Microsoft Active Directory delegation account, ensure that you have enabled the
account user with change password and set the password to never expires. To assign the service principal name (SPN),
use ADSI Edit, and under servicePrincipalName add the value of the logon for the delegated account user you just
created. For a multiple domain use case, the logon value is the user logon name. For a single domain use case, the logon
value is the user logon name (pre-Windows 2000).
Once completed, reload the delegation account to display the Delegation tab. Select Trust this user for delegation to
specified services only and Use any authentication protocol, which is the only currently supported use case using
BIG-IP APM. To add the web server to which you want to authenticate, click Add. For more information about creating the
Microsoft Active Directory user account, refer to K15008: Implementing a unique Microsoft Active Directory user account for
AAA in the BIG-IP APM system
.
Note: The designated web servers in the delegation account must be configured to accept Kerberos authentication.
DNS server
You must configure the BIG-IP system with a DNS server that contains the proper Kerberos SRV records. SRV records are in the
form of _kerberos._udp.<DOMAIN> or _kerberos._tcp.<DOMAIN>. These DNS entries are queried when the KDC field (Key
Distribution Center) from the Kerberos SSO profile is empty and the dns_lookup_kdc value in the /etc/krb5.conf file is set
to true. This behavior is how DNS advertises which KDC handles the authentication for a given realm. If these entries are not
configured, SSO will likely fail.
If multiple entries exist for a service, UDP is used by default. In the event that the response contains too many KDC records (more
than 512 bytes), DNS will switch to TCP on port 53 to request the same entries.
Note: For Kerberos to function correctly, in addition to SRV records, you must also configure A and PTR records for the web
servers.
Required ports
The following ports are used in Kerberos and must be allowed for proper communication and authentication.
88 UDP/TCP KDC(s)
SPN pattern
This field defines how the SPN is constructed for the web servers. If left empty, the pattern defaults
to HTTP/%s@REALM where %s is the server's host name discovered through reverse DNS lookup using the server IP
address.
Another common method is HTTP/%h@REALM, which replaces %h with the host name from the HTTP
request Hostheader. This method is useful when the server is performing multi-hosting.
Note: F5 recommends leaving this field empty, unless you need to use non-standard SPN format.
Send authorization
Note: For more information about the Send authorization configuration objects, refer to K13510: Overview of the Kerberos
SSO GSSAPI header.
Always (default): This setting will force BIG-IP APM to always send the Kerberos ticket without any pre-negotiation of
the protocol. The Authorization header is generated for each request and uses the Kerberos v5 protocol. Kerberos
v5 is the default protocol version for Windows systems.
On 401 Status Code: BIG-IP APM will use the SPNEGO protocol to negotiate the Kerberos protocol version before
sending the ticket. This is the default setting for most non-Windows implementations.
/etc/krb5.conf file
After completion of the BIG-IP APM system for constrained delegation, the created /etc/krb5.conf file should appear similar to the
following example:
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE = {
kdc = 10.154.144.94
# kdc = add as many kdc entries a you like
}
EMEA.EXAMPLE.COM = {
kdc = 10.154.144.92
}
EXAMPLEDEMO.COM = {
kdc = dc2016.exampledemo.com:88
}
Manually modifying the krb5.conf file allows you to define lists of KDCs for realm(s). However, configuring more than one KDC
does not provide a load-balancing mechanism. Only the first entry will be used unless it is not available. Supported formats for
supplying KDCs are fqdn|IP(:port).
For example:
kdc = dc1.us.examplekdc.com
kdc = 10.152.9.5
kdc = 10.152.25.5:88
Note: F5 does not recommend modifying the krb5.conf file, unless you have no other options to accomplish your intended
outcome using the Kerberos SSO profile.
This is most useful when BIG-IP cannot reach all KDCs retrieved by SRV queries or for testing purposes. This file is not checked if
you define a KDC IP in the Kerberos SSO profile.
Important: This file can be touched when creating, deleting, or modifying AAA servers. F5 recommends backing up
working files to a separate location prior to making changes.
Note: When KDC is not defined in the SSO profile and the kdc entry is defined for a REALM, the dns_lookup_kdc directive will
not be followed, even when set to true.
Note: When no KDC is defined in the SSO profile, no kdc entry is defined for a REALM, and dns_lookup_kdc is set to false,
then BIG-IP APM will have no KDC to use.