Manual Chapter : Configuring Kerberos Delegation

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP APM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP GTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP Link Controller

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP Analytics

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP LTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP PEM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Configuring Kerberos Delegation

Overview of remote authentication for application traffic

As an administrator in a large computing environment, you can set up the BIG-IP® system to use this server to authenticate any network traffic passing through the BIG-IP system. This type of traffic passes through a virtual server and through Traffic Management Microkernel (TMM) interfaces. Remote authentication servers typically use one of these protocols:

  • Lightweight Directory Access Protocol (LDAP)
  • Remote Authentication Dial-in User Service (RADIUS)
  • TACACS+ (derived from Terminal Access Controller Access Control System [TACACS])
  • Online Status Certificate Protocol (OCSP)
  • Certificate Revocation List Distribution Point (CRLDP)
  • Kerberos

To configure remote authentication for this type of traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts. For example, if your remote authentication server is an LDAP server, you create an LDAP configuration object and an LDAP profile. When implementing a RADIUS, SSL OCSP, or CRLDP authentication module, you must also create a third type of object. For RADIUS and CRLDP authentication, this object is referred to as a server object. For SSL OCSP authentication, this object is referred to as an OCSP responder.

Task Summary

To configure remote authentication for this type of traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts.

Task list

Creating a Kerberos Delegation configuration object

Use this procedure to create a configuration object for Kerberos delegation.
  1. On the Main tab of the navigation pane, click Local Traffic > Profiles .
  2. From the Authentication menu, choose Configurations.
  3. Click Create.
  4. In the Name field, type a unique name for the configuration object, such asmy_kerberos_config.
  5. From the Type list, select Kerberos Delegation.
  6. For the Enable Protocol Transition setting, retain the default value (cleared) or select the box.
  7. In the Client Principal Name field, type the name of the client principal, using the format HTTP/[name], where name is the name of the virtual server you created to use here.
    This principal might be in a different domain from the server principal. If so, you should use the domaintool(1) utility to create this principal, because the client principal must have the OK to Delegate flag selected in the Microsoft Windows domain.
  8. In the Server Principal Name field, type the name of the server principal (the back-end web server), using the format HTTP/[fqdn], where fqdn is the fully-qualified domain name.
    This principal might be in a different domain from the client principal. If so, you should use the domaintool(1) utility to add the domain. Also, you probably need to use the --dnsdomain option to set up DNS-to-Kerberos realm mappings.
  9. Click Finished.

Creating a Kerberos delegation profile object from the command line

You can create the Kerberos delegation profile object from the command line.
Set a cookie name and strong password for the cookie encryption key on the profile.
In this example, the cookie name is kerbc and the key is kerbc: create profile auth my_kerberos_profile { configuration my_kerberos_config cookie-name kerbc cookie-key kerbc defaults-from krbdelegate }
Note: The Cookie Key value is an encryption key that encrypts cookie data. A default value is supplied; however, you should change the default value so that attackers who know this value cannot decrypt cookie data and impersonate trusted users.
The Kerberos delegation profile object is available.

Creating a load balancing pool

You can create a load balancing pool (a logical set of devices such as web servers that you group together to receive and process traffic) to efficiently distribute the load on your server resources.
Note: You must create the pool before you create the corresponding virtual server.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. For the Health Monitors setting, in the Available list, select a monitor type, and click << to move the monitor to the Active list.
    Tip: Hold the Shift or Ctrl key to select more than one monitor at a time.
  5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool.
    The default is Round Robin.
  6. For the Priority Group Activation setting, specify how to handle priority groups:
    • Select Disabled to disable priority groups. This is the default option.
    • Select Less than, and in the Available Members field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Using the New Members setting, add each resource that you want to include in the pool:
    1. Type an IP address in the Address field.
    2. Type a port number in the Service Port field, or select a service name from the list.
    3. To specify a priority group, type a priority number in the Priority Group Activation field.
    4. Click Add.
  8. Click Finished.
The load balancing pool appears in the Pools list.

Creating a virtual server with Kerberos delegation and Client SSL profiles

You can create a virtual server with Kerberos delegation and Client SSL profiles.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, in the Address field, type the IP address you want to use for the virtual server.
    The IP address you type must be available and not in the loopback network.
  5. In the Service Port field, type 80, or select HTTP from the list.
  6. From the Configuration list, select Advanced.
  7. From the Type list, select Standard.
  8. From the Protocol list, select TCP.
  9. From the HTTP Profile list, select http.
  10. From the SSL Profile (Client) list, select a custom Client SSL profile.
  11. For the Authentication Profiles setting, in the Available field, select a custom Kerberos delegation, and using the Move button, move the custom Kerberos delegation to the Selected field.
  12. From the Default Pool list, select a pool name.
  13. Click Finished.
The virtual server with Kerberos delegation and Client SSL profiles appears in the Virtual Server list.