Applies To:

Show Versions Show Versions

Manual Chapter: Kerberos Authentication with End-User Logons
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About basic authentication and Kerberos end-user logon

Access Policy Manager® provides an alternative to the current form-based login authentication method. This alternative method uses a browser login box that is triggered by an HTTP 401 response to collect credentials. A SPNEGO/Kerberos or basic authentication challenge can generate a HTTP 401 response.

This option is useful when a user is already logged in to the local domain and you want to avoid submitting an APM HTTP form for collecting user credentials. The browser automatically submits credentials to the server and bypasses the login box to collect the credentials again.

Note: Because SPNEGO/Kerberos is a request-based authentication feature, the authentication process is different from other authentication methods, which run at session creation time. SPNEGO/Kerberos authentication can occur at any time during the session.

The benefits of this feature include:

  • Provides flexible login mechanism instead of restricting you to use only the form-based login method.
  • Eliminates the need for domain users to explicitly type login information again to log in to Access Policy Manager.
  • Eliminates the need for user password transmission with Kerberos method.
Important: Administrators should not turn off the KeepAlive setting on the web server because turning that setting off might interfere with Kerberos authentication.

How does end-user logon work?

To retrieve user credentials for end-user logon, you can use basic authentication or SPEGNO/Kerberos methods or both.

Basic authentication
Use this method to retrieve user credentials (user name and password) from a browser. You can think of this method as a replacement for form-based authentication used by the standard login screen. If you use basic authentication, the system populates the user name and password session variables, which can then be used by any other authentication actions, such as Active Directory or RADIUS.
SPNEGO/Kerberos
Use this method to retrieve user credentials through SPNEGO/Kerberos authentication header. With the Kerberos method, the client system must first join a domain and a Kerberos action must follow. The Kerberos action does not run immediately; it runs only when clients request SPNEGO/Kerberos authentication. By default, Kerberos authentication runs not only on the first request, but also on subsequent requests where authentication is needed, such as for new connections. Access Policy Manager® validates the request by confirming that a valid ticket is present.
Note: You can disable Kerberos per request-based authentication in the AAA Kerberos server configuration in APM™. If you disable it, authentication occurs while the access policy runs and subsequent authentications do not occur. In that case, end-user logon does not occur.
Note: You can achieve multi-domain support for Kerberos authentication through multiple virtual servers. Each virtual server must have its own access policy and its own Kerberos configuration.

Both methods require that an HTTP 401 Response action item be configured in the access policy and that the authentication method be specified in the action item. In cases where both methods are selected, the browser determines which method to perform based on whether the system has joined a domain. The HTTP 401 Response action has two default branches to indicate whether basic authentication or Kerberos method is performed.

How SPNEGO/Kerberos end-user logon works How SPNEGO/Kerberos end-user login works

The end-user logon works with events happening in this order:

  • The client becomes a member and connects to the domain.
  • The client connects to a virtual server on the BIG-IP® system.
  • The access policy runs and issues a 401 HTTP request action.
  • If Kerberos is present, the browser forwards the Kerberos ticket along with the request when it receives the 401 HTTP request.
  • Access Policy Manager validates the Kerberos ticket after the request is received and determines whether or not to permit the request.

About Kerberos authentication requirements

To configure Kerberos authentication, you must meet specific configuration requirements as described here.

Virtual server
The virtual server IP address and host name are necessary to configure DNS.
DNS configuration
Make sure you have the zone file and PTR record for the virtual server IP address. For example: testbed.lab.companynet 10.10.4.100
Browser configuration
Configure the browser to use Kerberos. Typically, Internet Explorer is already configured for Kerberos; however, you might need to configure it for trusted sites. To use Firefox, you must configure it for negotiate authentication.

Task summary for configuring end-user login support

To set up this configuration, perform the procedures in the task list. You can configure end-user logon support with Basic authentication or Kerberos method or both.

Task list

Joining a domain

To use Kerberos authentication, you need the client joined and connected to a domain and you need a keytab file.
  1. Create a surrogate user in the domain. In this example, the hostname of the virtual server on the BIG-IP system is testbed.lab.companynet and the user name is john. setspn -U -A HTTP/testbed.lab.companynet john
  2. Map the user account to the service account and generate a keytab file for the service. You can use the ktpass utility to do this. In this example, LAB.COMPANYNET specifies the Kerberos authentication realm. c:>ktpass -princ HTTP/testbed.lab.companynet.com@LAB.COMPANYNET -mapuser john@LAB.COMPANYNET -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass password -out c:\temp\john.keytab

Configuring an AAA server for Kerberos authentication

Configure a Kerberos AAA server so that you can add it to a Kerberos authentication action in an access policy.
  1. On the Main tab, click Access Policy > AAA Servers > Kerberos. The Kerberos Servers list screen opens.
  2. Click Create. The New Server properties screen opens.
  3. In the Name field, type a unique name for the authentication server.
  4. In the Auth Realm field, type a Kerberos authentication realm name (administrative name), such as LAB.COMANYNET. Type the realm name all uppercase; it is case-sensitive.
  5. In the Service Name field, type a service name; for example, HTTP.
  6. In the Keytab File area, click Choose File to locate and upload the keytab file. A keytab file contains Kerberos encrypted keys (these are derived from the Kerberos password). You can use this file to log into Kerberos without being prompted for a password.
  7. Click Finished to add the new server to the configuration, and return to the main screen.

Creating an access profile with default settings

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. Type a name for the access profile.
  4. In the Language Settings area, add and remove accepted languages, and set the default language. A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  5. Click Finished.
The access profile now shows up in the Access Profiles List.

Configuring an access policy for end-user logon support

Configure an access policy like this one to handle basic and SPEGNO/Kerberos authentication challenges without submitting an Access Policy Manager® HTTP form to collect user credentials.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure to launch the visual policy editor. The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) sign anywhere in the access policy to add a new action item. An Add Item screen opens, listing Predefined Actions that are grouped by General Purpose, Authentication, and so on.
  4. Under General Purpose, select HTTP 401 Response, and click Add item. A properties screen opens.
  5. In the 401 Response Setting area from the HTTP Auth Level list, select basic+negotiate, and click Save. The HTTP 401 Response agent is added to the access policy with
  6. To perform basic authentication, add an authentication server agent after the Basic branch.
  7. To use the Kerberos authentication method:
    1. Add the Kerberos Auth agent after the Negotiate branch.
    2. On the Kerberos Auth agent properties screen, specify the Kerberos AAA server.
  8. Specify the appropriate endings on each branch.
  9. Click Apply Access Policy.
For an access policy to go into effect, you must add the corresponding access profile to the virtual server.

Access policy example for end-user login

This is an example of an access policy with all the associated elements needed to successfully support the end-user login feature. Notice that separate branches were created to support using either basic authentication or Kerberos method to retrieve user credentials.

Note: For basic authentication, the user name and password validation occurs at the session creation time. After the access policy completes, the session cookie is used to validate the session.
Note: By default, Kerberos runs not only at the access policy run time but also at any time in the session.
How OCSP worksExample access policy for end-user login
Example of branch rule for HTTP 401 ResponseExample properties for an HTTP 401 response action
Example of branch rule for KerberosExample properties for a Kerberos Auth action on the Negotiate branch

Kerberos authentication troubleshooting tips

You might choose to verify Kerberos authentication configurations in some instances. Use these troubleshooting tips to help resolve any issues you might encounter.

Verify the keytab file

From the command line, use the klistcommand as shown in this example.

Important: The command must be typed on one line.
klist -ke WRFILE:/config/filestore/files_d/Common_d/kerberos_keytab_file_d/\:Common\:SUN-SPNEGO-APM106_key_file_2

The output for the example contains information like this.

Keytab name: FILE:/config/filestore/files_d/Common_d/kerberos_keytab_file_d/:Common:SUN-SPNEGO-APM106_key_file_2 KVNO Principal 3 HTTP/apm106.labt.companynet.com@labt.companynet.com(arcfour-hmac)

Verify Kerberos delegation

From the command line, use the kinit command, as shown in this example.kinit HTTP/apm106.labt.companynet.com@labt.companynet.com You are prompted for a password and should receive a ticket (no output, no error).

Verify ticket

From the command line type: klist. Here is sample output: /etc/krb5.conf

Capture a TCP dump

Make sure the client sends the ticket to the BIG-IP® system; this verifies that the client setup is successful.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)