ltm auth kerberos-delegationΒΆ

ltm auth kerberos-delegation(1BIG-IP TMSH Manualtm auth kerberos-delegation(1)



NAME
       kerberos-delegation - Configures a Kerberos delegation profile.

MODULE
       ltm auth

SYNTAX
       Configure the kerberos-delegation component within the ltm auth module
       using the syntax shown in the following sections.

   CREATE/MODIFY
	create kerberos-delegation [name]
	modify kerberos-delegation [name]
	  options:
	    app-service [[string] | none]
	    client-principal [string]
	    debug-logging [disabled | enabled]
	    description [string]
	    protocol-transition [disabled | enabled]
	    server-principal [string]

	edit kerberos-delegation [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    all-properties
	    non-default-properties

	reset-stats kerberos-delegation
	reset-stats kerberos-delegation
	  [ [ [name] | [glob] | [regex] ] ... ]

   DISPLAY
	list kerberos-delegation
	list kerberos-delegation [ [ [name] | [glob] | [regex] ] ... ]
	show running-config kerberos-delegation
	show running-config kerberos-delegation
	  [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    all-properties
	    non-default-properties
	    one-line
	    partition

	show kerberos-delegation
	show kerberos-delegation [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    (default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
	    field-fmt
	    global

   DELETE
	delete kerberos-delegation [name]

DESCRIPTION
       The Kerberos delegation configuration acts like a proxy for Kerberos
       credentials. When connecting to a server that is inside its domain, the
       browser client fetches Kerberos credentials known as delegated
       credentials. These credentials are passed on to the system. Once the
       system has these credentials, it retrieves credentials for the
       RealServer(r) that is on the back end, and passes those credentials
       back.

       Each user is assigned a unique cookie that describes a session on the
       system. This cookie is encrypted in a cookie key.

       To configure a Kerberos authentication module and create a Kerberos
       configuration object:

       1. Use the kerberos-delegation component in the ltm auth module to
       create a Kerberos configuration object.
       2. Use the profile component, in the ltm auth module, to create an
       authentication profile in which you specify the following options:
	    a. For the configuration option, specify the Kerberos
	    configuration object that you created in Step 1.
	    b. For the defaults-from option, specify a parent profile (either
	    the default Kerberos profile named krbdelegate or another custom
	    Kerberos profile that you created).

EXAMPLES
       create kerberos-delegation my_kerberos-delegation_config client-
       principal client.net server-principal server.net

       Creates a Kerberos delegation profile named
       my_kerberos-delegation_config.

       list kerberos-delegation all-properties

       Displays all properties for all Kerberos delegation profiles.

OPTIONS
       app-service
	    Specifies the name of the application service to which the profile
	    belongs. The default value is none. Note: If the strict-updates
	    option is enabled on the application service that owns the object,
	    you cannot modify or delete the profile. Only the application
	    service can modify or delete the profile.

       client-principal
	    Specifies the principal that the client sees. This is usually a
	    value such as HTTP/. This principal may be in a different
	    domain from the server principal. This option is required. There
	    is no default value.

       debug-logging
	    Specifies whether the system logs debugging actions. The default
	    value is disabled.

       description
	    User defined description.

       glob Displays the items that match the glob expression. See help glob
	    for a description of glob expression syntax.

       name Specifies a unique name for the component. This option is required
	    for the commands create, delete, and modify.

       partition
	    Displays the administrative partition within which this profile
	    resides.

       protocol-transition
	    Specifies whether associated virtual should transition client
	    certificate authentication into Kerberos credentials.

       regex
	    Displays the items that match the regular expression. The regular
	    expression must be preceded by an at sign (@[regular expression])
	    to indicate that the identifier is a regular expression. See help
	    regex for a description of regular expression syntax.

       server-principal
	    Specifies the principal of the back-end web server. This is
	    usually a value such as HTTP/. This may be in a
	    different domain from the server principal. This setting is
	    required. There is no default value.

SEE ALSO
       create, delete, edit, glob, list, ltm virtual, modify, regex, reset-
       stats, show, tmsh

COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or
       by any means, electronic or mechanical, including photocopying,
       recording, or information storage and retrieval systems, for any
       purpose other than the purchaser's personal use, without the express
       written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2009-2012. All rights reserved.



BIG-IP				  2012-05-22   ltm auth kerberos-delegation(1)