apm sso kerberos
apm sso kerberos(1) BIG-IP TMSH Manual apm sso kerberos(1)
NAME
kerberos - Configures a Kerberos configuration object.
MODULE
apm sso
SYNTAX
Configure the kerberos component within the sso module using the syntax
shown in the following sections.
CREATE/MODIFY
create kerberos [name]
modify kerberos [name]
options:
account-name [string]
account-password [string]
apm-log-config [[string] | none]
app-service [[string] | none]
headers [add | delete | modify | replace-all-with] {
[name] {
options:
app-service [[string] | none]
hname [[string] | none]
hvalue [[integer] | none]
}
}
kdc [[string] | none]
location-specific [true | false]
realm [string]
send-authorization [401 | always]
spn-pattern [[string] | none]
ticket-lifetime [[integer] | none]
edit kerberos [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list kerberos
list kerberos [ [ [name] | [glob] | [regex] ] ... ]
show running-config kerberos
show running-config kerberos [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show kerberos
show kerberos [name]
DELETE
delete kerberos [name]
DESCRIPTION
You can use the kerberos component to configure an SSO Kerberos
configuration object. Kerberos is an authentication protocol, where
both the user and the server verify the other's identity.
EXAMPLES
create mykerberos { realm MYREALM.COM account-name apmaccount account-
password **** }
Creates an SSO kerberos configuration object named mykerberos for
the realm myrealm.com, where the account name is apmaccount and
the password is ****.
OPTIONS
account-name
Specifies the name of the Active Directory account configured for
delegation. This account must be configured in the server's
Kerberos realm (AD Domain). If servers are from multiple realms,
each realm (AD Domain) must have its own delegation account. This
option is required.
account-password
Specifies the password for the delegation account specified in
account-name. This option is required.
apm-log-config
Specifies log-setting object to associate with this sso. If this
value is empty, logging framework uses log-setting configuration
associated with the access profile where sso is used.
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
headers
Specifies custom HTTP headers to insert into a request. The
default value is none. The options are:
app-service
Specifies the name of the application service to which the
header belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service
that owns the object, you cannot modify or delete the header.
Only the application service can modify or delete the header.
hname
Specifies the name of a header to add to a request.
hvalue
Specifies the value of a header to add to a request.
kdc Specifies the IP Address or host name of the Kerberos Key
Distribution Center (KDC) for the server's realm. This is normally
an Active Directory domain controller. If you leave this empty,
the KDC must be discoverable through DNS, for example, BIG-IP
system must be able to fetch SRV records for the server realm's
domain. If the server realm's domain name is different from the
server's realm name, you must specify the server realm's domain
name in the /etc/krb5.conf file. Kerberos SSO processing is
fastest when KDC is specified by its IP address, slower when
specified by host name, and even slower (due to additional DNS
queries) when left empty. When a user's realm is different from
server's realm, the KDC value must be empty. This is true in cases
of cross-realm SSO. The default is none.
location-specific
Specifies whether or not this object contains one or more
attributes with values that are specific to the location where the
BIG-IP device resides. The location-specific attribute is either
true or false. When using policy sync, mark an object as location-
specific to prevent errors that can occur when policies reference
objects, such as authentication servers, that are specific to a
certain location.
[name]
Specifies the name for the SSO Kerberos configuration object. This
option is required.
realm
Specifies the realm of application server(s), for example, pool
members or portal access resource hosts. If the servers are
located in multiple realms, each realm requires a separate SSO
configuration. You must specify the realm in uppercase letters.
The user's realm can be specified through the
session.logon.last.domain session variable, and if this variable
is not set, then the user's realm is assumed to be the same as the
server's realm. This option is required.
send-authorization
Specifies when to submit a Kerberos ticket to the application
server(s). The ticket is submitted in an HTTP Authorization
header. The header value starts with the word Negotiate, followed
by one space and a base64-encoded GSSIAPI token containing the
Kerberos ticket. If a request contains an Authorization header
from the user's browser, it is deleted. The default is always. The
options are:
401 The BIG-IP system first forwards the user's HTTP request to
the web server without inserting a new Authorization header;
however, the browser's Authorization header is deleted. If
the server requests authentication by responding with a 401
status code, BIG-IP retries the request with the
Authorization header. The Kerberos ticket GSSAPI
representation uses the SPNEGO mechanism type (OID
1.3.6.1.5.5.2).
Specifying 401 results in additional BIG-IP/server request
round trips in case authentication is required for the
request.
always
The BIG-IP system inserts an Authorization header, including
the Kerberos ticket, into every HTTP request, whether the
request requires authentication or not. The Kerberos ticket
GSSAPI representation uses the KRB5 Kerberos 5 mechanism type
(OID 1.2.840.113554.1.2.2).
Specifying Always results in the additional overhead of
generating a Kerberos token for every request. This is the
default value.
spn-pattern
Specifies how the Service Principal Name (SPN) for the server is
constructed. For example, HTTP/%s@[server realm name configured in
the realm option], where %s will be substituted with the hostname
of your server discovered through reverse DNS lookup using the
server IP address. Only specify this option when you need non-
standard SPN format. The default is none.
ticket-lifetime
Specifies the lifetime of Kerberos tickets obtained for the user.
The value represents the maximum ticket lifetime. The actual
ticket lifetime may be less by up to 1 hour, because a user's
ticket lifetime is the same as the Kerberos Ticket Granting Ticket
(TGT) lifetime. A TGT is obtained for the delegation account
specified in this configuration. A new TGT is fetched every time
the current TGT is older than one hour. The new TGT can only be
fetched when an SSO request is processed.
The minimum ticket lifetime is 10 minutes. There is no maximum,
however, the ticket lifetime of most AD domains is 10 hours (600
minutes). F5 Networks recommends that you set the ticket lifetime
in an SSO configuration above what is specified in an AD domain.
The default is 600 minutes.
SEE ALSO
basic, form-based,ntlmv1, ntlmv2
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2012. All rights reserved.
BIG-IP 2016-03-02 apm sso kerberos(1)