Forum Discussion
Dec 24, 2018
Hi Alexander,
Today I've tested Kerberos Auth with use of AES-256-CTS-HMAC-SHA1-96 encryption and it works. Here some pointers that may help you.
Create keytab:
PS C:\Users\Administrator> ktpass -princ HTTP/host.domain.local@DOMAIN.LOCAL -mapuser f5-kerberos-auth@DOMAIN.LOCAL +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out c:\f5-kerberos-auth.keytab
Targeting domain controller: DOMAIN-DC-01.domain.local
Successfully mapped HTTP/host.domain.local to f5-kerberos-auth.
Password successfully set!
Building salt with principalname HTTP/host.domain.local and domain DOMAIN.LOCAL (encryption type 18)...
Hashing password with salt "DOMAIN.LOCALHTTPhost.domain.local".
Key created.
Output keytab to c:\f5-kerberos-auth.keytab:
Keytab version: 0x502
keysize 85 HTTP/host.domain.local@DOMAIN.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x12 (AES256-SHA1) keylength 32 (0x84d225f16c76be4d39354ea15584e931384fe17394c5761376d4a52f96419d7d)
PS C:\Users\Administrator>
In the Windows account you have created, make sure the following setting in the Account tab under 'Account settings' is enabled:
This account supports Kerberos AES 256 bit encryption
On the BIG-IP Kerberos AAA object, under Settings I use:
SPN Format: Kerberos 5 NT Principal
Service Principal Name: HTTP/host.domain.local