Forum Discussion

Gerald_Meese's avatar
Mar 30, 2017

Kerberos Constrained Delegation to Linux backend

Hello,

 

We are struggling with APM to perform Kerberos SSO toward an SAP system running on Linux, using this DG as ref : https://www.f5.com/pdf/deployment-guides/kerberos-constrained-delegation-dg.pdf.

 

We find this in the APM log : 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/sapxxx.domain.com@DOMAIN.COM - Requesting ticket can't get forwardable tickets (-1765328163)

 

As far as we understand the message this could be due to the fact that we are currently using "Trust this user for delegation to any service (Kerberos only)" in the delegation properties of the service account, when we should use "Trust this user for delegation to specified services only" > "Use any authentication protocol". But this doesn't work out of the box as the Linux backend is obviously not available in the AD to be added there. We tried to add a computer object for it but that doesn't help.

 

So our question is : how can we configure the delegation to the Linux SAP backend ?

 

Thanks in advance for your help :-)

 

  • Hi,

    I don't know how to configure it on SAP backend, but here is the procedure to configure an apache with Kerberos auth working with APM (Powershell):

    Apache Kerberos configuration (Powershell)

    Create the Apache kerberos account

    New-ADUser -Name "APACHE2 Kerberos Authentication Account" -UserPrincipalName svc_ap2_krb_auth@demo.local -SamAccountName "svc_ap2_krb_auth" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)
    

    Create a Service Principal Name attribute for this account

    Set-AdUser -Identity svc_ap2_krb_auth -ServicePrincipalNames @{Add="host/srv-web.demo.local"}
    

    Create the kerberos key used to decrypt kerberos tokens

    ktpass -princ HTTP/srv-web.demo.local@DEMO.LOCAL -mapuser svc_ap2_krb_auth@demo.local -crypto all -ptype KRB5_NT_PRINCIPAL -pass P@ssw0rd -out c:\svc_ap2_krb_auth.keytab
    
    Then the delegation account is created with these commands (Powershell):

    Create the F5 delegation account

    New-ADUser -Name "APM Delegation Account" -UserPrincipalName svc_f5_krb@demo.local -SamAccountName "svc_f5_krb" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)
    

    Create a Service Principal Name attribute for this account (mandatory to request kerberos ticket for another user)

    Set-AdUser -Identity svc_f5_krb -ServicePrincipalNames @{Add="host/svc_f5_krb.demo.local"} 
    

    Assign the delegation right to the site app1.demo.local

    Get-AdUser -Identity svc_f5_krb | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="http/srv-web.demo.local"} 
    

    Change delegation right to mode : Trust this user for delegation to specific service only / Use any authentication Protocol

    Set-ADAccountControl -Identity svc_f5_krb -TrustedForDelegation $false
    Set-ADAccountControl -Identity svc_f5_krb -TrustedToAuthForDelegation $true
    
    In F5 APM, create the Kerberos SSO Profile (tmsh)

    Web App pool kerberos SSO

    create apm sso kerberos SSO_KRB_AppPool { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.245.250 realm DEMO.LOCAL spn-pattern HTTP/%h user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }