Forum Discussion

WUM_113639's avatar
WUM_113639
Icon for Nimbostratus rankNimbostratus
Feb 23, 2016

APM Kerberos SSO between front-end and back-end servers

Hi,

 

We have a requirement, where a customer wants to use F5 APM Kerberos sso to authenticate user sessions between WebServer (not Sharepoint) and DB & Reporting Servers.

 

F5 APM authenticates the user initially and using Kerberos SSO feature, it has to delegate the SSO authentication to the WebServer, so that the authentication between the WebServer & SQL DB is also done using the same user (not anonymous) and likewise authentication between WebServer and ReportingServer.

 

Kerberos SSO is working internally using AD infrastructure but we have to make it work for the public users via APM.

 

I have uploaded an image for more clarification on what we are trying to achieve.

 

BIG-IP Access Policy Manager (APM)
security

2 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 23, 2016

    Your image is missing, but I think I understand what you're talking about. If I'm correct, you need to do APM Kerberos to the web server AND Kerberos from the web server to the backend server (using the same account). Yes?

     

    If so, that's actually pretty straight forward and it's called a Kerberos delegation "double hop". Very simply, in order for Kerberos to "hop" from front to back, and in a delegated environment, EACH STEP ALONG THE WAY MUST BE DELEGATED. APM Kerberos SSO does Kerberos protocol transition to the delegation account and constrained delegation to the target service through the delegation account. You therefore have to configure the web server to do constrained delegation to the backend servers. For AD-based services this generally just means configuring the web server to be able to delegate to the SPNs of the backend services.