ltm auth kerberos-delegation
ltm auth kerberos-delegation(1BIG-IP TMSH Manualtm auth kerberos-delegation(1)
NAME
kerberos-delegation - Configures a Kerberos delegation profile.
MODULE
ltm auth
SYNTAX
Configure the kerberos-delegation component within the ltm auth module
using the syntax shown in the following sections.
CREATE/MODIFY
create kerberos-delegation [name]
modify kerberos-delegation [name]
options:
app-service [[string] | none]
client-principal [string]
debug-logging [disabled | enabled]
description [string]
protocol-transition [disabled | enabled]
server-principal [string]
edit kerberos-delegation [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
reset-stats kerberos-delegation
reset-stats kerberos-delegation
[ [ [name] | [glob] | [regex] ] ... ]
DISPLAY
list kerberos-delegation
list kerberos-delegation [ [ [name] | [glob] | [regex] ] ... ]
show running-config kerberos-delegation
show running-config kerberos-delegation
[ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show kerberos-delegation
show kerberos-delegation [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
field-fmt
global
DELETE
delete kerberos-delegation [name]
DESCRIPTION
The Kerberos delegation configuration acts like a proxy for Kerberos
credentials. When connecting to a server that is inside its domain, the
browser client fetches Kerberos credentials known as delegated
credentials. These credentials are passed on to the system. Once the
system has these credentials, it retrieves credentials for the
RealServer(r) that is on the back end, and passes those credentials
back.
Each user is assigned a unique cookie that describes a session on the
system. This cookie is encrypted in a cookie key.
To configure a Kerberos authentication module and create a Kerberos
configuration object:
1. Use the kerberos-delegation component in the ltm auth module to
create a Kerberos configuration object.
2. Use the profile component, in the ltm auth module, to create an
authentication profile in which you specify the following options:
a. For the configuration option, specify the Kerberos
configuration object that you created in Step 1.
b. For the defaults-from option, specify a parent profile (either
the default Kerberos profile named krbdelegate or another custom
Kerberos profile that you created).
EXAMPLES
create kerberos-delegation my_kerberos-delegation_config client-
principal client.net server-principal server.net
Creates a Kerberos delegation profile named
my_kerberos-delegation_config.
list kerberos-delegation all-properties
Displays all properties for all Kerberos delegation profiles.
OPTIONS
app-service
Specifies the name of the application service to which the profile
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the profile. Only the application
service can modify or delete the profile.
client-principal
Specifies the principal that the client sees. This is usually a
value such as HTTP/. This principal may be in a different
domain from the server principal. This option is required. There
is no default value.
debug-logging
Specifies whether the system logs debugging actions. The default
value is disabled.
description
User defined description.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
partition
Displays the administrative partition within which this profile
resides.
protocol-transition
Specifies whether associated virtual should transition client
certificate authentication into Kerberos credentials.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
server-principal
Specifies the principal of the back-end web server. This is
usually a value such as HTTP/. This may be in a
different domain from the server principal. This setting is
required. There is no default value.
SEE ALSO
create, delete, edit, glob, list, ltm virtual, modify, regex, reset-
stats, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2012. All rights reserved.
BIG-IP 2012-05-22 ltm auth kerberos-delegation(1)