Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Kerberos Delegation
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

26 
The BIG-IP® Kerberos delegation module essentially acts as a proxy for Kerberos credentials. The module obtains delegated Kerberos credentials for the client principal and a service ticket for the server-side principal. Doing so reduces network traffic between the client and the Kerberos server after the initial authentication is complete.
For networks where all the client workstations are inside the domain, the module's default behavior is to use standard Kerberos delegation. In this configuration the browser supplies the module with a copy of the user's Ticket Granting Ticket (TGT). The module then uses this TGT to get service tickets to services on the other side of BIG-IP system.
The protocol transition feature, which is turned on by enabling the protocol transition setting, is used for networks where clients are not in the domain (for example, laptops in hotel rooms). In this mode, the client's browser is authenticated by a client certificate, and the module makes Kerberos service ticket requests on the clients behalf. In this model, BIG-IP can only make service requests to specific services. This model is also called constrained delegation.
Table 26.1 shows the infrastructure requirements for Kerberos delegation.
This Kerberos delegation scenario uses a Microsoft® primary domain controller (PDC) or Active Directory FSMO role named PDC emulator master.
The time on the PDC must be synchronized with the time on the client and web servers.
The DNS server must have knowledge of the domains web servers and virtual servers.
The key distribution center (KDC) is installed as part of the domain controller and performs two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS).
The key distribution center usually is the PDC, but it can also be a standalone server in some networks.
The client must be using Windows Internet Explorer version 6.x or later with support for SSL certificates.
For user access, client machines can use either username and password or the Department of Defense (DoD) Common Access Card (CAC) and password.
A Microsoft Windows Server® 2003 (or later) Active Directory server (ADS) must be in the same domain of the BIG-IP, configured with the Kerberos protocol transition and protocol transition extensions initiated, and running in Windows Server 2003 mode to enable protocol transition.
All servers within the domain must be set up to use Windows® Integrated Authentication with anonymous access disabled. Please refer to the Microsoft documentation for more information about load balancing Kerberos web servers if you plan to set up more than one server in your server pool.
The time on the web server must be synchronized with the time on the client and PDC.
The BIG-IP® system must be in a domain with the PDC.
The Advanced Client Authentication Module should be installed on all BIG-IP systems that check for valid Online Certificate Status Protocol (OCSP) certificates.
The BIG-IP system must be able to process secure traffic between the client and its web server.
Note: All remote authentication servers must reside in route domain 0. For information on route domains, see the TMOS® Management Guide for BIG-IP® Systems.
The first step for configuring the BIG-IP system for Kerberos delegation is to add the DNS server to the BIG-IP system. This section describes how to test the DNS server from the BIG-IP system, and how to add the DNS server to the BIG-IP system from either the Configuration utility or the command line interface.
Before you configure the DNS server on the BIG-IP system, you can test the DNS server(s) that you want to define on the BIG-IP system by typing the following command at the command prompt:
1.
On the Main tab of the navigation pane, expand System, and click Configuration.
The General screen opens.
2.
From the Device menu, choose DNS.
The DNS screen opens.
3.
Locate the DNS Lookup Server List setting.
4.
In the Address box, type the DNS server IP address.
5.
Click Add.
6.
Click Update.
For example, if you want to add the DNS name server IP addresses 192.168.10.20 and 192.168.10.22 to the BIG-IP system, type the following command:
The local /etc/resolv.conf file is now configured with the following entries:
1.
At the tmsh prompt, define the DNS server(s) on the BIG-IP system by typing the following command:
For example, if you want to add the DNS name server IP addresses 192.168.10.20 and 192.168.10.22 to the BIG-IP system, type the following command:
Important: Before going any further, you should synchronize the BIG-IP clock with the PDC using NTP. For details on how to set NTP on BIG-IP, see the TMOS® Management Guide for BIG-IP® Systems.
After you have added the DNS server to the BIG-IP system, you can add the BIG-IP system to the trusted domain. Use the domaintool command to add the BIG-IP system to the trusted domain.
You use the domaintool command to add the system to the domain, where <domainname> is the name of the domain in all-uppercase letters, and <name> is the fully-qualified domain name (FQDN) of the Kerberos Key Distribution Center (KDC). Optionally, you can use the IP address of the KDC. The command syntax is:
If you are setting up cross-domain authentication, use the --dnsdomain option to this command. All hosts found in a certain DNS domain are automatically in the correct Kerberos realm. Use the domaintool --add command for each realm that the BIG-IP system may contact. Run this command once for each domain the BIG-IP is joining.
Now that the BIG-IP system is configured with the domains it may contact, you must use the domaintool command to create service principals within the domain. These service principals are named after the FQDN of the virtual servers you create:
This command prompts you for a password. Typically, the value of the admin_principal argument is administrator; however, you can use any administrator name. The host argument specifies the FQDN of the virtual server you configure for traffic. Run this command for each virtual server you plan to configure.
The KDC must be resolvable by both name and address (forward and reverse.) If domaintool does not allow your BIG-IP system to join the trusted domain, check the following:
Now that you have added the DNS server to the BIG-IP system, and the BIG-IP system to the domain, you need to create a Kerberos delegation configuration. This section describes how to create a Kerberos delegation configuration from the Configuration utility (following), from the command line interface (see Configuring Kerberos delegation from the command line), or using the TMOS shell (see Configuring Kerberos delegation using tmsh.)
Important: The Kerberos delegation profile includes a set-cookie operation, making the set cookie valuable if intercepted. To ensure that an attacker cannot intercept this set-cookie header, use a Client SSL profile in conjunction with the Kerberos delegation profile. The Client SSL profile is absolutely required for protocol transition to function correctly because a client certificate is mandatary.
This section provides all procedures for configuring Kerberos delegation, using the Configuration utility. For the procedures on configuring Kerberos delegation using the command line interface, see Configuring Kerberos delegation from the command line.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
The Profiles screen opens.
2.
From the Authentication menu, choose Configurations.
The Authentication Configurations screen opens.
3.
In the upper-right corner of the screen, click Create.
The New Authentication Configuration screen opens.
4.
For the Name setting, type a unique name for the configuration object, such as my_kerberos_config.
Note: Any alphabetic characters in the name must be lowercase.
5.
For the Type setting, select Kerberos Delegation.
The screen expands to show several settings.
6.
In the Client Principal Name box, type the client principal name.
The client principal name is the name of the virtual server on the BIG-IP system. Use the following format, where <FQDN> is the virtual servers that you previously added to the domain:
7.
In the Server Principal Name box, type the server principal name.
The server principal name is the name of the web server. Use the following format, where <FQDN> is the fully-qualified domain name of the web server in the pool:
8.
Click Finished.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
The Profiles screen opens.
2.
From the Authentication menu, choose Profiles.
The Authentication Profiles screen opens.
3.
In the upper right corner of the screen, click Create.
The New Authentication Profile screen opens.
4.
For the Name setting, type a unique name for the configuration object, such as my_kerberos_profile.
Note: Any alphabetic characters in the name must be lowercase.
5.
For the Type setting, select Kerberos Delegation.
The screen expands to show several settings.
6.
For the Cookie Name setting, type a unique name.
7.
For the Cookie Key setting, type a strong password.
Note: The Cookie Key value is an encryption key that encrypts cookie data. A default value is supplied; however, you should change the default value so that attackers who know this value cannot decrypt cookie data and impersonate trusted users.
8.
Click Finished.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
A list of profiles displays.
2.
From the SSL menu, choose Client.
The list of existing SSL profiles displays.
3.
In the upper-right corner of the screen, click Create.
The New Client SSL Profile screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool.
4.
In the Name box, type a unique name for the profile.
5.
To the far right side of Configuration, click the Custom box.
6.
From the Certificate list, select the name of an existing certificate.
7.
From the Key list, select the name of an existing key.
8.
To the far right side of Client Authentication, click the Custom box.
9.
From the Client Certificate list, select Require.
10.
From the Frequency list, select Once.
11.
In the Certificate Chain Traversal Depth box, enter 9.
12.
From the Advertised Certificate Authorities list, select your certificate name.
13.
In the Certificate Revocation List (CRL) box, enter the location of the CRL file.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Pools.
The Pools screen opens.
2.
In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool.
3.
From the Configuration list, select Advanced.
4.
For the Name setting, type a name for the pool, such as webserverpool.
Note: For the New Members setting, add the IP address and port for each of the web servers in the Kerberos delegation infrastructure.
6.
Click Finished.
To create a virtual server and add the Kerberos delegation and Client SSL profiles to the virtual server
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Servers screen opens.
2.
In the upper-right corner of the screen, click Create.
The New Virtual Server screen opens.
3.
For the Name setting, type a unique name for the virtual server, such as my_kerberos_virtual.
4.
For the Destination setting, click Host and type an IP address.
5.
For the Service Port setting with HTTP profiles, type 80, or from the service list, select HTTP.
If you are using a Client SSL profile type 443, or from the service list, select HTTPS.
6.
From the Configuration list, select Advanced.
7.
For the Type setting, select Standard.
8.
For the Protocol setting, select TCP.
9.
For the HTTP Profile setting, select http.
10.
From the SSL Profile (Client) list, select the name of the Client SSL profile you created previously.
11.
For Authentication Profiles setting, use the Move button (<< or >>) to enable the profile you created for Kerberos delegation.
12.
In the Resources area of the screen, from the Default Pool list, select the pool you created that contains the web servers.
13.
Click Finished.
This section describes how to configure Kerberos delegation from the command line, using the bigpipe utility. To configure Kerberos delegation using the Configuration utility, see Configuring Kerberos delegation using the Configuration utility.
Be sure to set a cookie name and strong password for the cookie encryption key on the profile. In this example, the cookie name is kerbc and the key is kerbpwd.
Note: The Cookie Key value is an encryption key that encrypts cookie data. A default value is supplied; however, you should change the default value so that attackers who know this value cannot decrypt cookie data and impersonate trusted users.
The next task in configuring Kerberos delegation is to create a Client SSL profile. Type the profile clientssl command as follows:
After you create the configuration object and the profile for the Kerberos delegation configuration, create a pool of web servers using the following command, where <ip addr> is the IP address of the web server:
Use the following command to create the virtual server, where <ip addr>:https is the virtual server address, webserverpool is the pool of webservers, my_client_profile is the Client SSL profile you created, and my_kerberos_profile is the profile you created for Kerberos delegation:
virtual my_kerberos_virtual { snat automap pool webserverpool destination <ip addr>:https ip protocol tcp profiles http tcp my_clientssl_profile auth my_kerberos_profile }
To complete the configuration of the BIG-IP system for Kerberos delegation, enable the virtual server for the configuration.
Configuring Kerberos delegation using tmsh
Note: All tmsh command examples in this section require you to be at the tmsh prompt: (tmos.ltm.auth)# in the ltm auth module unless otherwise noted. For more information on working with tmsh, see the Traffic Management Shell (tmsh) Reference Guide.
Within the tmsh ltm auth module, type the following command to create the Kerberos delegation configuration object:
create kerberos-delegation my_kerberos_config client-principal "HOST/<fqdn>" server-principal "HTTP/<fqdn>" protocol-transition enabled debug-logging enabled
Note: Refer to the Traffic Management Shell (tmsh) Reference Guide for kerberos-delegation component options.
Be sure to set a cookie name and strong password for the cookie encryption key on the profile. In this example, the cookie name is kerbc and the key is kerbpwd.
Note: The Cookie Key value is an encryption key that encrypts cookie data. A default value is supplied; however, you should change the default value so that attackers who know this value cannot decrypt cookie data and impersonate trusted users.
The next task in configuring Kerberos delegation is to create a Client SSL profile. Within the ltm profile module, type the create client-ssl command as follows:
Note: Refer to the Traffic Management Shell (tmsh) Reference Guide for client-ssl component options.
Important: You should require a client certificate only if using protocol transition.
After you create the configuration object and the profile for the Kerberos delegation configuration, create a pool of web servers using the following command in the ltm module, where <ip addr> is the IP address of the web server:
Type the following command to create the virtual server, where <ip addr>:https is the virtual server address, webserverpool is the pool of webservers, my_client_profile is the Client SSL profile you created, and my_kerberos_profile is the profile you created for Kerberos delegation:
create virtual my_kerberos_virtual snat automap pool webserverpool destination <ip addr>:https ip-protocol tcp profiles add {my_clientssl_profile auth my_kerberos_profile }
To complete the configuration of the BIG-IP system for Kerberos delegation, enable the virtual server for the configuration.
After the network is configured, and the BIG-IP system is configured, Kerberos delegation authenticates clients as a proxy server for Kerberos credentials or with Kerberos protocol transition.
Figure 26.1 shows how client authentication works using the BIG-IP system as a proxy server for Kerberos credentials.
2.
The client browser connects to the BIG-IP virtual server and passes Windows Integrated Authentication credentials, as well as SSL credentials to the Kerberos server.
3.
The Kerberos server authenticates the user and passes the session credentials to the BIG-IP system where they are stored in a credential cache as long as the client is logged into the BIG-IP system.
4.
For the rest of the session, the BIG-IP system acts as a proxy server for credentials requested by other severs within the single domain.
Figure 26.2 shows how client authentication works with a constrained Kerberos delegation.
The type of delegation your BIG-IP system supports will require specific property settings for the Active Directory server depending on the service your BIG-IP provides. Both settings are found under the Delegation tab of the Active Directory Properties window.
If you are using the BIG-IP Kerberos delegation mode, select the Trust this computer for delegation to any service (Kerberos only) option.
If you are using the protocol transition mode, select the Trust this computer for delegation to specified services only, option, and then you MUST select the Use any authentication protocol option as shown in Figure 26.3
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)