Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Kerberos Delegation
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

26 
The Kerberos delegation feature provides the ability to authenticate client traffic with Microsoft Windows Integrated Authentication. You can also set cross-realm authentication if the two realms have a trust relationship.
Table 26.1 shows the infrastructure requirements for Kerberos delegation.
This Kerberos delegation scenario uses a Microsoft® primary domain controller (PDC)
The time on the PDC must be synchronized with the time on the client and web servers.
The primary domain controller must be a DNS server and have knowledge of the web servers.
The Web servers must be set up to use Windows® Integrated Authentication with anonymous access disabled. Please refer to the Microsoft documentation for more information about load balancing Kerberos web servers if you plan to set up more than one server in your server pool.
The time on the web server must be synchronized with the time on the client and PDC.
The BIG-IP system must be able to process secure traffic between the client and its web server.
The first step for configuring the BIG-IP system for Kerberos delegation is to add the DNS server to the BIG-IP system. This section describes how to test the DNS server from the BIG-IP system, and how to add the DNS server to the BIG-IP system from either the Configuration utility or the command line interface.
Before you configure the DNS server on the BIG-IP system, you can test the DNS server(s) that you want to define on the BIG-IP system by typing the following command at the Linux prompt:
1.
On the Main tab of the navigation pane, expand System, and click Configuration.
The General screen opens.
2.
From the Device menu, choose DNS.
The DNS screen opens.
3.
Locate the DNS Lookup Server List setting.
4.
In the Address box, type the DNS server IP address.
5.
Click Add.
6.
Click Update.
For example, if you want to add the DNS name server IP addresses 192.168.10.20 and 192.168.10.22 to the BIG-IP system, type the following command:
The local /etc/resolv.conf file is now configured with the following entries:
After you have added the DNS server to the BIG-IP system, you can add the BIG-IP system to the trusted domain. Use the domaintool command to add the BIG-IP system to the trusted domain.
You use the domaintool command to add the system to the domain, where <domainname> is the name of the domain in all uppercase letters, and <name> is the FQDN of the Kerberos Key Distribution Center (KDC). Optionally, you can use the IP address of the KDC. The command syntax is:
If you are setting up cross-domain authentication, use the --dnsdomain option to this command. All hosts found in a certain DNS domain are automatically in the correct Kerberos realm. Use the domaintool --add command for each realm that the BIG-IP system may contact.
Now that the BIG-IP system is configured with the domains it may contact, you must use the domaintool command to create service principals within the domain. These service principals are named after the FQDN of the virtual servers you create:
This command prompts you for a password. Typically, the value of the admin_principal argument is administrator; however, you can use any administrator name. The host argument specifies the FQDN of the virtual server you configure for traffic. Run this command for each virtual server you plan to configure.
Now that you have added the DNS server to the BIG-IP system, and the BIG-IP system to the domain, you need to create a Kerberos delegation configuration. This section describes how to create a Kerberos delegation configuration from the Configuration utility (following) or from the command line interface (see Configuring Kerberos delegation from the command line).
Important: The Kerberos delegation profile includes a set-cookie operation. To ensure that an attacker cannot intercept this set-cookie header, always use the Kerberos Delegation profile in conjunction with a Client SSL profile.
This section provides all procedures for configuring Kerberos delegation, using the Configuration utility. For the procedures on configuring Kerberos delegation using the command line interface, see Configuring Kerberos delegation from the command line.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
The Profiles screen opens.
2.
From the Authentication menu, choose Configurations.
The Authentication Configurations screen opens.
3.
In the upper-right corner of the screen, click Create.
The New Authentication Configuration screen opens.
4.
For the Name setting, type a unique name for the configuration object, such as my_kerberos_config.
Note: Any alphabetic characters in the name must be lowercase.
5.
For the Type setting, select Kerberos Delegation.
The screen expands to show several settings.
6.
In the Client Principal Name box, type the client principal name.
The client principal name is the name of the virtual server on the BIG-IP system. Use the following format, where <name> is the admin_principal name that you previously added to the domain:
7.
In the Server Principal Name box, type the server principal name.
The server principal name is the name of the web server. Use the following format, where <FQDN> is the fully-qualified domain name of the web server in the pool:
8.
Click Finished.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
The Profiles screen opens.
2.
From the Authentication menu, choose Profiles.
The Authentication Profiles screen opens.
3.
In the upper right corner of the screen, click Create.
The New Authentication Profile screen opens.
4.
For the Name setting, type a unique name for the configuration object, such as my_kerberos_profile.
Note: Any alphabetic characters in the name must be lowercase.
5.
For the Type setting, select Kerberos Delegation.
The screen expands to show several settings.
6.
For the Cookie Name setting, type a unique name.
7.
For the Cookie Key setting, type a strong password.
Note: The Cookie Key value is an encryption key that encrypts cookie data. A default value is supplied; however, you should change the default value so that attackers who know this value cannot decrypt cookie data and impersonate trusted users.
8.
Click Finished.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
A list of profiles displays.
2.
From the SSL menu, choose Client.
The list of existing SSL profiles displays.
3.
In the upper-right corner of the screen, click Create.
The New Client SSL Profile screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool.
4.
In the Name box, type a unique name for the profile.
6.
From the Certificate list, select the name of an existing certificate.
7.
From the Key list, select the name of an existing key.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Pools.
The Pools screen opens.
2.
In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool.
3.
From the Configuration list, select Advanced.
4.
For the Name setting, type a name for the pool, such as webserverpool.
Note: For the New Members setting, add the IP address and port for each of the web servers in the Kerberos delegation infrastructure.
6.
Click Finished.
To create a virtual server and add the Kerberos delegation and Client SSL profiles to the virtual server
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Servers screen opens.
2.
In the upper-right corner of the screen, click Create.
The New Virtual Server screen opens.
3.
For the Name setting, type a unique name for the virtual server, such as my_kerberos_virtual.
4.
For the Destination setting, click Host and type an IP address.
5.
For the Service Port setting, type 80, or from the service list, select HTTP.
6.
From the Configuration list, select Advanced.
7.
For the Type setting, select Standard.
8.
For the Protocol setting, select TCP.
9.
For the HTTP Profile setting, select http.
10.
From the SSL Profile (Client) list, select the name of the Client SSL profile you created previously.
11.
For Authentication Profiles setting, use the Move button (<< or >>) to enable the profile you created for Kerberos delegation.
12.
In the Resources area of the screen, from the Default Pool list, select the pool you created that contains the web servers.
13.
Click Finished.
This section describes how to configure Kerberos delegation from the command line, using the bigpipe utility. To configure Kerberos delegation using the Configuration utility, see Configuring Kerberos delegation using the Configuration utility.
Be sure to set a cookie name and strong password for the cookie encryption key on the profile. In this example, the cookie name is kerbc and the key is kerbc.
Note: The Cookie Key value is an encryption key that encrypts cookie data. A default value is supplied; however, you should change the default value so that attackers who know this value cannot decrypt cookie data and impersonate trusted users.
The next task in configuring Kerberos delegation is to create a Client SSL profile. Type the profile clientssl command as follows:
After you create the configuration object and the profile for the Kerberos delegation configuration, create a pool of web servers using the following command, where <ip addr> is the IP address of the web server:
To complete the configuration of the BIG-IP system for Kerberos delegation, create the virtual server for the configuration.
Type the following command to create the virtual server, where <ip addr>:http is the virtual server address, webserverpool is the pool of webservers, my_client_profile is the Client SSL profile you created, and my_kerberos_profile is the profile you created for Kerberos delegation:
virtual my_kerberos_virtual { snat automap pool webserverpool destination <ip addr>:http ip protocol tcp profiles http tcp my_clientssl_profile auth my_kerberos_profile }
After the network is configured, and the BIG-IP system is configured, Kerberos delegation authenticates clients. Figure 26.1 shows how client authentication works with Kerberos delegation.
2.
The client browser connects to the BIG-IP virtual server and passes Windows Integrated Authentication credentials, as well as SSL credentials.
3.
The BIG-IP system verifies the credentials and uses those credentials to fetch credentials from domain 2 on behalf of the user from domain 1.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)