Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Kerberos Authentication with End-User Logons
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About basic authentication and Kerberos end-user logon

Access Policy Manager® provides an alternative to the current form-based login authentication method. This alternative method uses a browser login box, which is triggered by an HTTP 401 response to collect credentials. The HTTP 401 response is generated by either SPNEGO/Kerberos or basic authentication challenges. This option is useful in situations where your user has already logged into the local domain, and you would like to avoid having to submit an APM HTTP form for collecting user credentials. The browser will automatically submit credentials to the server and bypasses the login box to collect the credentials again.

Note: Since SPNEGO/Kerberos is a request-based authentication feature, the authentication process is different from other authentication methods, which only occurs during session creation time. SPNEGO/Kerberos authentication, however, could occur at any time during the whole session.

The benefits of this feature include:

  • Provides flexible login mechanism instead of restricting you to use only the form-based login method.
  • Eliminates the need for domain users to explicitly type login information again to log in to the Access Policy Manager.
  • Eliminates the need for user password transmission with Kerberos method.
Important: Administrator should not turn off the KeepAlive setting on their web server since turning that setting off may interfere with Kerberos authentication.

How does end-user login work?

This feature provides two methods to retrieve user credentials for login: basic authentication or a Kerberos method.

basic authentication
Use this method to retrieve user credentials (user name and password) from a browser. You can think of this method as a replacement for form-based authentication used by the standard login screen. If you use basic authentication, the system populates the user name and password session variables, which can then be used by any other authentication actions, such as Active Directory or RADIUS.
SPNEGO/Kerberos
Use this method to retrieve user credentials through SPNEGO/Kerberos authentication header. With the Kerberos method, the client system must join a domain, and a Kerberos action follows. The Kerberos action does not run immediately; it will only run on requests from clients requesting SPNEGO/Kerberos authentication. The Kerberos authentication not only runs on the first request, but also runs on subsequent requests where the authentication is needed, such as for new connections. The request is validated by confirming that a valid ticket is present.
Note: You can achieve multi-domain support for Kerberos authentication through multiple virtual servers. Each server must have different access policies along with their own Kerberos configurations.

Both methods require an HTTP 401 response action. This particular action selects either one or the other, or both mechanisms. In cases where both are selected, the browser determines which method is performed based upon whether the system has joined a domain. The HTTP 401 response action has two default branches to indicate whether basic authentication or Kerberos method is performed.

How SPNEGO/Kerberos end-user logon works How SPNEGO/Kerberos end-user login works

The end-user login works with events happening in the following order:

  • The client becomes a member and connects to the domain.
  • The client then connects to a virtual server on the BIG-IP system.
  • The access policy runs and issues a 401 HTTP request action.
  • If Kerberos is present, the browser forwards the Kerberos ticket along with the request when it receives the 401 HTTP response.
  • Access Policy Manager® validates the Kerberos ticket once the request is received, and determines whether or not to permit the request.

Task summary for configuring end-user login support

To set up this configuration, perform the procedures in the task list. You can choose to configure with either Basic authentication or Kerberos method.

Task List

Joining a domain

The client must be joined and connected to a domain if the Kerberos method is used.
  1. From the System Properties on a client machine, check to make sure the following parameters are set: domain controller, client machine, and APM vip.
  2. Ensure that there is a user account in the domain.
  3. Create a keytab file on the domain controller. For example, use ktpass utility to map the user account to service account and generate a keytab file for the service, for example, c:>ktpass -princ HTTP/john.testbed.lab.fp.companynet.com -mapuser john -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass password -out c:\temp\john.keytab
You must now create an access policy to include the appropriate agents.

Configuring for Kerberos authentication

  1. On the Main tab, expand Access Policy > AAA Servers . The AAA server list screen opens.
  2. From the AAA Servers by Type menu, choose the server type you want to create. A screen listing existing servers of that type opens.
  3. Type a name for the authentication server you are creating.
  4. In the Auth Realm field, type in a Kerberos authentication realm name (administrative name), such as user@realm.com.
  5. In the Service Name field, type in a service name, such as service name/hostname@kerberosrealm. This is used to verify incoming Kerberos token requests.
  6. In the Keytab File field, click Browse to locate your Keytab file. A keytab file contains Kerberos encrypted keys (these are derived from the Kerberos password). You can use this file to log into Kerberos without being prompted for a password.
  7. Click Finished to add the new server to the configuration, and return to the main screen.

Completing the configuration for the end-user logon support

  1. On the Main tab, click Access Policy > Access Profiles . The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. Type a name for the access profile. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
  4. Click Finished.
  5. Click the name of the access profile for which you want to edit the access policy. The Access Profile properties screen opens for the profile you want to edit.
  6. Click the [+] sign anywhere in your access profile to add your new policy action item. An Add Item window opens.
  7. Under Predefined Actions, select HTTP 401 Response, and click Add item. The 401 Response Setting window opens.
    Attention: To get the client browser to respond to a WWW-Authenticate Negotiate header with a Kerberos ticket, the host/domain needs to be added to the Intranet Site List in Internet Explorer. Also, the host name must be added as a A-Record for DNS, or added to a local host file.
  8. From the HTTP Auth level list, select basic+negotiate, and click Save. The HTTP 401 Response agent is added to the access policy.
  9. If you are performing basic authentication, add an authentication server agent after the basic branch.
  10. If you are performing Kerberos authentication method, add the Kerberos Auth agent after the negotiate branch, and specify the Kerberos AAA server.
  11. Click Apply Access Policy.

Access policy example for end-user logon

This is an example of an access policy with all the associated elements needed to successfully support the end-user login feature. Notice that separate branches were created to support using either basic authentication or Kerberos method to retrieve user credentials.

Note: For basic authentication, the user name and password validation occurs at the session creation time. After the access policy completes, the session cookie is used to validate the session.
Note: Kerberos runs not only at the access policy run time but also at any time in the session.
How OCSP worksExample access policy for end-user login
Example of branch rule for HTTP 401 ResponseExample of branch rule for HTTP 401 response action
Example of branch rule for KerberosExample of branch rule for Kerberos method
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)