K17976428: Overview of Kerberos constrained delegation

Non-Diagnostic
Original Publication Date: Jan 03, 2019

Topic
Kerberos delegation is a Microsoft feature that allows an application to reuse end-user credentials to access resources hosted on
a different server. Kerberos constrained delegation is a form of specifying applications that are allowed to to reuse the user
credentials. A server is configured to pass along a client's identity and credentials to a secondary resource server, accessing a
resource or service on behalf of the client, while limiting the scope of where application services can act on the client's behalf.
For more information, refer to the Microsoft Kerberos Constrained Delegation Overview document.
Note: This link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.
The purpose of this article is to provide an overview of this service, how it relates to BIG-IP APM, and the places that are important
for verifying proper configuration.

Description
BIG-IP APM uses the Kerberos Service-for-User (S4U) extensions (MS-SFU) and MIT Kerberos Library with Protocol Transition
(non-Kerberos to Kerberos).
Note: S4U is the only supported protocol through BIG-IP APM. The Trust this user for delegation to any service setting is not
currently supported in BIG-IP APM.
Service tickets for users accessing BIG-IP APM display as S4U2Self and service tickets accessing applications display
as S4U2Proxy.
For example:
Nov 15 14:27:00 BIG-IP debug websso.1[27687]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for
user: user@EXAMPLE.COM server: HTTP/server.example.com@EXAMPLE.COM - trying to fetch
Nov 15 14:27:00 BIG-IP debug websso.1[27687]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for
user: user@EXAMPLE.COM - trying to fetch
Nov 15 14:27:00 BIG-IP debug websso.1[27687]: 014d0001:7: S4U ======> - fetched S4U2Self ticket for
user: user@EXAMPLE.COM
Nov 15 14:27:00 BIG-IP debug websso.1[27687]: 014d0001:7: S4U ======> trying to fetch S4U2Proxy ticket
for user: user@EXAMPLE.COM server: HTTP/server.example.com@EXAMPLE.COM
Nov 15 14:27:00 BIG-IP debug websso.1[27687]: 014d0001:7: S4U ======> fetched S4U2Proxy ticket for user:
user@EXAMPLE.COM server: HTTP/server.example.com@EXAMPLE.COM
Nov 15 14:27:00 BIG-IP debug websso.1[27687]: 014d0001:7: S4U ======> OK!

Required configuration objects with BIG-IP APM

Delegation account
DNS server
Required ports
APM Kerberos SSO profile
/etc/krb5.conf file

Delegation account

Important: When creating the Microsoft Active Directory delegation account, ensure that you have enabled the
account user with change password and set the password to never expires. To assign the service principal name (SPN),
use ADSI Edit, and under servicePrincipalName add the value of the logon for the delegated account user you just
 created. For a multiple domain use case, the logon value is the user logon name. For a single domain use case, the logon
value is the user logon name (pre-Windows 2000).

Once completed, reload the delegation account to display the Delegation tab. Select Trust this user for delegation to
specified services only and Use any authentication protocol, which is the only currently supported use case using
BIG-IP APM. To add the web server to which you want to authenticate, click Add. For more information about creating the
Microsoft Active Directory user account, refer to K15008: Implementing a unique Microsoft Active Directory user account for
AAA in the BIG-IP APM system

.
Note: The designated web servers in the delegation account must be configured to accept Kerberos authentication.
DNS server
You must configure the BIG-IP system with a DNS server that contains the proper Kerberos SRV records. SRV records are in the
form of _kerberos._udp.<DOMAIN> or _kerberos._tcp.<DOMAIN>. These DNS entries are queried when the KDC field (Key
Distribution Center) from the Kerberos SSO profile is empty and the dns_lookup_kdc value in the /etc/krb5.conf file is set
to true. This behavior is how DNS advertises which KDC handles the authentication for a given realm. If these entries are not
configured, SSO will likely fail.
If multiple entries exist for a service, UDP is used by default. In the event that the response contains too many KDC records (more
than 512 bytes), DNS will switch to TCP on port 53 to request the same entries.
Note: For Kerberos to function correctly, in addition to SRV records, you must also configure A and PTR records for the web
servers.
Required ports
The following ports are used in Kerberos and must be allowed for proper communication and authentication.

Port Protocol IP(s)

53 UDP/TCP DNS server

88 UDP/TCP KDC(s)

123 UDP NTP server(s)

<Web Server port(s)> TCP Web server(s)

APM Kerberos SSO profile

You must configure the following BIG-IP APM configuration objects for Kerberos SSO:
Credentials source
The username source is retrieved from the variable assigned automatically from the SSO Credential Mapping action in the
Visual Policy Editor (VPE). Ensure you have the SSO Credential Mapping action assigned at the end of your Access Policy
through the VPE.
The user realm source is not always best depending on your setup. If this is not defined at some point in your VPE, the
fallback source is the realm defined in the Kerberos SSO profile. If the realm configured in SSO differs from the realm of the
user, you will need to add a variable assignment to the VPE to assign this value.
Kerberos realm
You must set the realm defined here to the realm of the accessed web servers. If accessed web servers are in multiple
realms, you will need a separate Kerberos SSO profile for each given realm, with a separate delegation account per realm.
Note: You must format the defined realm in uppercase.
KDC
Set this object to an IP address or host name of the Kerberos KDC for the server's realm.
Single domain
 If all users accessing BIG-IP APM and all accessed servers are in the same domain, configure a single IP/fully qualified
domain name (FQDN). This configuration will only work for the single domain use case.
Multiple domains
If users accessing BIG-IP APM may be part of multiple domains and all accessed servers are in the same domain, leave
the KDC field empty. This action will work with both single domain and multiple domain use cases. When this field is empty,
the BIG-IP system will send a DNS SRV query to fetch the KDC responsible for the given realm involved.
Note: The domains must have bi-directional transitive trust as required by the Kerberos Protocol Transition (KPT) extension.
Account name
The account name is the Active Directory account name created for the delegation. This account will have two possible
formats, depending on whether your use case is single domain or multiple domains. The Active Directory user properties
include the following:
User logon name:
host/delegationUserAccount.example.com@example.com
User logon name (pre-Windows 2000):
EXAMPLE.COM\delegationUserAccount
You can use the following formats for these fields:
Single domain only
delegationUserAccount
Single and multiple domain (and when AES128/256 is enabled)
host/delegationUserAccount.example.com

SPN pattern
This field defines how the SPN is constructed for the web servers. If left empty, the pattern defaults
to HTTP/%s@REALM where %s is the server's host name discovered through reverse DNS lookup using the server IP
address.
Another common method is HTTP/%h@REALM, which replaces %h with the host name from the HTTP
request Hostheader. This method is useful when the server is performing multi-hosting.
Note: F5 recommends leaving this field empty, unless you need to use non-standard SPN format.
Send authorization
Note: For more information about the Send authorization configuration objects, refer to K13510: Overview of the Kerberos
SSO GSSAPI header.
Always (default): This setting will force BIG-IP APM to always send the Kerberos ticket without any pre-negotiation of
the protocol. The Authorization header is generated for each request and uses the Kerberos v5 protocol. Kerberos
v5 is the default protocol version for Windows systems.
On 401 Status Code: BIG-IP APM will use the SPNEGO protocol to negotiate the Kerberos protocol version before
sending the ticket. This is the default setting for most non-Windows implementations.

/etc/krb5.conf file
After completion of the BIG-IP APM system for constrained delegation, the created /etc/krb5.conf file should appear similar to the
following example:
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
EXAMPLE = {
kdc = 10.154.144.94
# kdc = add as many kdc entries a you like
}
EMEA.EXAMPLE.COM = {
kdc = 10.154.144.92
 }
EXAMPLEDEMO.COM = {
kdc = dc2016.exampledemo.com:88
}
Manually modifying the krb5.conf file allows you to define lists of KDCs for realm(s). However, configuring more than one KDC
does not provide a load-balancing mechanism. Only the first entry will be used unless it is not available. Supported formats for
supplying KDCs are fqdn|IP(:port).
For example:
kdc = dc1.us.examplekdc.com
kdc = 10.152.9.5
kdc = 10.152.25.5:88
Note: F5 does not recommend modifying the krb5.conf file, unless you have no other options to accomplish your intended
outcome using the Kerberos SSO profile.
This is most useful when BIG-IP cannot reach all KDCs retrieved by SRV queries or for testing purposes. This file is not checked if
you define a KDC IP in the Kerberos SSO profile.

Important: This file can be touched when creating, deleting, or modifying AAA servers. F5 recommends backing up
working files to a separate location prior to making changes.

Note: When KDC is not defined in the SSO profile and the kdc entry is defined for a REALM, the dns_lookup_kdc directive will
not be followed, even when set to true.
Note: When no KDC is defined in the SSO profile, no kdc entry is defined for a REALM, and dns_lookup_kdc is set to false,
then BIG-IP APM will have no KDC to use.