The following is a quick guide to setup F5 APM with Kerberos Authentication
The end-user logon works with events happening in this order:
• The client becomes a member and connects to the domain.
• The client connects to a virtual server on the BIG-IP system.
• The access policy runs and issues a 401 HTTP request action.
• If Kerberos is present, the browser forwards the Kerberos ticket along with the request when it receives the 401 HTTP request.
• Access Policy Manager validates the Kerberos ticket after the request is received and determines whether or not to permit the request.
Here are the following commands i used, so its easy to type out.
Suppose, that the website has to respond at portal and http:/portal.maniak.net. We have to specify these addresses in the SPN attribute of the service account.
Setspn /s HTTP/portal maniak\iis_service
Setspn /s HTTP/portal.maniak.net maniak\iis_service
We allow this account to decrypt Kerberos tickets, when users access these addresses, and authenticate sessions.
setspn /l iis_service
Lets open command prompt.
Ktpass -princ HTTP/portal.maniak.net@MANIAK.NET -mapuser iis_service@mAniak.net -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass W3lcome098! -out c:\temp\iis_service.keytab
4 июл 2024
