apm sso kerberos
apm sso kerberos(1) BIG-IP TMSH Manual apm sso kerberos(1)
NAME
kerberos - Configures a Kerberos configuration object.
MODULE
apm sso
SYNTAX
Configure the kerberos component within the sso module using the syntax shown in the following sections.
CREATE/MODIFY
create kerberos [name]
modify kerberos [name]
options:
account-name [string]
account-password [string]
apm-log-config [[string] | none]
app-service [[string] | none]
headers [add | delete | modify | replace-all-with] {
[name] {
options:
app-service [[string] | none]
hname [[string] | none]
hvalue [[integer] | none]
}
}
kdc [[string] | none]
location-specific [true | false]
realm [string]
send-authorization [401 | always]
spn-pattern [[string] | none]
ticket-lifetime [[integer] | none]
upn-support [enabled | disabled]
user-realm-source [string]
username-source [string]
edit kerberos [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list kerberos
list kerberos [ [ [name] | [glob] | [regex] ] ... ]
show running-config kerberos
show running-config kerberos [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show kerberos
show kerberos [name]
DELETE
delete kerberos [name]
DESCRIPTION
You can use the kerberos component to configure an SSO Kerberos configuration object. Kerberos is an authentication
protocol, where both the user and the server verify the other's identity.
EXAMPLES
create mykerberos { realm MYREALM.COM account-name apmaccount account-password **** }
Creates an SSO kerberos configuration object named mykerberos for the realm myrealm.com, where the account name is
apmaccount and the password is ****.
OPTIONS
account-name
Specifies the name of the Active Directory account configured for delegation. This account must be configured in the
server's Kerberos realm (AD Domain). If servers are from multiple realms, each realm (AD Domain) must have its own
delegation account. This option is required.
account-password
Specifies the password for the delegation account specified in account-name. This option is required.
apm-log-config
Specifies log-setting object to associate with this sso. If this value is empty, logging framework uses log-setting
configuration associated with the access profile where sso is used.
app-service
Specifies the name of the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
object. Only the application service can modify or delete the object.
headers
Specifies custom HTTP headers to insert into a request. The default value is none. The options are:
app-service
Specifies the name of the application service to which the header belongs. The default value is none. Note: If
the strict-updates option is enabled on the application service that owns the object, you cannot modify or delete
the header. Only the application service can modify or delete the header.
hname
Specifies the name of a header to add to a request.
hvalue
Specifies the value of a header to add to a request.
kdc Specifies the IP Address or host name of the Kerberos Key Distribution Center (KDC) for the server's realm. This is
normally an Active Directory domain controller. If you leave this empty, the KDC must be discoverable through DNS, for
example, BIG-IP system must be able to fetch SRV records for the server realm's domain. If the server realm's domain
name is different from the server's realm name, you must specify the server realm's domain name in the /etc/krb5.conf
file. Kerberos SSO processing is fastest when KDC is specified by its IP address, slower when specified by host name,
and even slower (due to additional DNS queries) when left empty. When a user's realm is different from server's realm,
the KDC value must be empty. This is true in cases of cross-realm SSO. The default is none.
location-specific
Specifies whether or not this object contains one or more attributes with values that are specific to the location
where the BIG-IP device resides. The location-specific attribute is either true or false. When using policy sync, mark
an object as location-specific to prevent errors that can occur when policies reference objects, such as
authentication servers, that are specific to a certain location.
[name]
Specifies the name for the SSO Kerberos configuration object. This option is required.
realm
Specifies the realm of application server(s), for example, pool members or portal access resource hosts. If the
servers are located in multiple realms, each realm requires a separate SSO configuration. You must specify the realm
in uppercase letters. The user's realm can be specified through the session.logon.last.domain session variable, and if
this variable is not set, then the user's realm is assumed to be the same as the server's realm. This option is
required.
send-authorization
Specifies when to submit a Kerberos ticket to the application server(s). The ticket is submitted in an HTTP
Authorization header. The header value starts with the word Negotiate, followed by one space and a base64-encoded
GSSIAPI token containing the Kerberos ticket. If a request contains an Authorization header from the user's browser,
it is deleted. The default is always. The options are:
401 The BIG-IP system first forwards the user's HTTP request to the web server without inserting a new Authorization
header; however, the browser's Authorization header is deleted. If the server requests authentication by
responding with a 401 status code, BIG-IP retries the request with the Authorization header. The Kerberos ticket
GSSAPI representation uses the SPNEGO mechanism type (OID 1.3.6.1.5.5.2).
Specifying 401 results in additional BIG-IP/server request round trips in case authentication is required for the
request.
always
The BIG-IP system inserts an Authorization header, including the Kerberos ticket, into every HTTP request,
whether the request requires authentication or not. The Kerberos ticket GSSAPI representation uses the KRB5
Kerberos 5 mechanism type (OID 1.2.840.113554.1.2.2).
Specifying Always results in the additional overhead of generating a Kerberos token for every request. This is
the default value.
spn-pattern
Specifies how the Service Principal Name (SPN) for the server is constructed. For example, HTTP/%s@[server realm name
configured in the realm option], where %s will be substituted with the hostname of your server discovered through
reverse DNS lookup using the server IP address. Only specify this option when you need non-standard SPN format. The
default is none.
ticket-lifetime
Specifies the lifetime of Kerberos tickets obtained for the user. The value represents the maximum ticket lifetime.
The actual ticket lifetime may be less by up to 1 hour, because a user's ticket lifetime is the same as the Kerberos
Ticket Granting Ticket (TGT) lifetime. A TGT is obtained for the delegation account specified in this configuration. A
new TGT is fetched every time the current TGT is older than one hour. The new TGT can only be fetched when an SSO
request is processed.
The minimum ticket lifetime is 10 minutes. There is no maximum, however, the ticket lifetime of most AD domains is 10
hours (600 minutes). F5 Networks recommends that you set the ticket lifetime in an SSO configuration above what is
specified in an AD domain. The default is 600 minutes.
upn-support
Enables or disables UPN suffix support for Kerberos SSO when integrating into Microsoft Active Directory
infrastructure. The default is disabled.
user-realm-source
Session variable name from which Kerberos SSO should read the user's realm. The default is session.logon.last.domain.
username-source
Session variable name from which Kerberos SSO should read the username. The default is
session.sso.token.last.username.
SEE ALSO
basic, form-based,ntlmv1, ntlmv2
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2012. All rights reserved.
BIG-IP 2016-09-15 apm sso kerberos(1)