Kerberos Authenication cross multiple domains
Hi there,
I'm having a hard time getting kerberos to work a cross multiple domains (two way trust) Version of APM 11.5
Within a domain Kerberos Authentication works fine but when I attempt to access resource from another domain it's failing
My setup is something like this
trusteddomain.local untrusteddomain.local
SPN and all kerberos setting were created in unstrusted domain
I did the following steps to implement it (maybe it will help somebody else as well)
On the untrusted domain
setspn -U -A HTTP/internal.something.org f5kerberos ktpass -princ HTTP/internal.something.org@UNTRUSTEDDOMAIN.LOCAL -mapuser f5kerberos@UNTRUSTEDDOMAIN.LOCAL -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass supersecret -out C:\f5kerberos
On F5
AAA Server
Auth Realm: UNTRUSTEDDOMAIN.LOCAL Service name: HTTP Principal: HTTP/internal.something.org@UNTRUSTEDDOMAIN.LOCAL
SSO Config
Kerberos Realm: UNTRUSTEDDOMAIN.LOCAL Account name: f5kerberos Account password supersecret
Access policy
HTTP 401 response
basic+negotiate
Basic Auth Realm: MHPSHP.LOCAL
On negotiate - kerberos - sso - allow
Evertyhing works fine from untrusteddomain but doesn't work from trusteddomain.
I tried implementing NTLM Auth and it was failing as well. My main point is to get seamless authentication for the user and the use form based sso to login to some other web apps