Overview: Configure Kerberos Authentication¶
About Kerberos authentication¶
Kerberos authentication provides a method to authenticate domain users without entering login credentials. Kerberos is a cryptographic ticketing protocol that allows access to resources based on encrypted tickets issued by the Key Distribution Center (KDC). It supplies tickets and generates temporary session keys that allow secure user authentication. The KDC stores all the encryption keys it shares with each entity (principal) in the domain (realm). A principal is a unique identity, generally a user, host, or service. A single host can contain many services; thus, there can be many individual principals and a unique cryptographic key for each. Realm is the group of systems over which Kerberos has the authority to authenticate a user to a service.
The KDC consists of an Authentication Server (AS) and Ticket Granting Server (TGS). The Authentication Server confirms that a known user is making an access request and issues a ticket-granting ticket. The Ticket Granting Server verifies that the user is making an access request to a known service and issues service tickets.
Kerberos Auth item is useful when a user is already logged in to the local domain, and you want to avoid presenting them with additional logon prompts for collecting user credentials. The browser automatically submits credentials to the server and bypasses the login box. In an Access policy, an HTTP 401 Response item typically precedes a Kerberos Auth item.
The authentication process occurs as follows:
The user requests access to a service on the BIG-IP Next and receives an HTTP 401 or HTTP 407 authentication response from BIG-IP Next Access.
In an AS_REQ/AS_REP request, the client obtains the Kerberos Ticket Granting Ticket (TGT) from the KDC.
In a TGS_REQ/TGS_REP request, the client presents the TGT to the KDC and obtains the Kerberos service ticket to the appropriate service in response.
The client responds to the earlier response from the BIG-IP Next Access in step 1 by presenting the Kerberos service ticket in an AP_REQ request to BIG-IP Next.
BIG-IP Next authenticates the client service ticket using the keytab file.
When Kerberos authentication is successful, the BIG-IP Next system sends an AP_REP reply, and the client can access the service.
Prerequisites¶
You are using Windows Active Directory (AD) as your Key Distribution Center.
You know the Kerberos Realm, Account Name, and Account Password.
You have the Kerberos configuration file.
You have accounts created for Kerberos principal users in the Active Directory.
You have generated the service principal name (SPN) and keytab file. A keytab file contains the SPN that identifies the service and the key assigned to the SPN.