apm sso kerberos
apm sso kerberos(1) BIG-IP TMSH Manual apm sso kerberos(1)
NAME
kerberos - Configures a Kerberos configuration object.
MODULE
apm sso
SYNTAX
Configure the kerberos component within the sso module using the syntax shown in the following sections.
CREATE/MODIFY
create kerberos [name]
modify kerberos [name]
options:
account-name [string]
account-password [string]
apm-log-config [[string] | none]
app-service [[string] | none]
headers [add | delete | modify | replace-all-with] {
[name] {
options:
app-service [[string] | none]
hname [[string] | none]
hvalue [[integer] | none]
}
}
kdc [[string] | none]
location-specific [true | false]
realm [string]
send-authorization [401 | always]
spn-pattern [[string] | none]
ticket-lifetime [[integer] | none]
upn-support [enabled | disabled]
user-realm-source [string]
username-source [string]
edit kerberos [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list kerberos
list kerberos [ [ [name] | [glob] | [regex] ] ... ]
show running-config kerberos
show running-config kerberos [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show kerberos
show kerberos [name]
DELETE
delete kerberos [name]
DESCRIPTION
You can use the kerberos component to configure an SSO Kerberos configuration object. Kerberos is an
authentication protocol, where both the user and the server verify the other's identity.
EXAMPLES
create mykerberos { realm MYREALM.COM account-name apmaccount account-password **** }
Creates an SSO kerberos configuration object named mykerberos for the realm myrealm.com, where the
account name is apmaccount and the password is ****.
OPTIONS
account-name
Specifies the name of the Active Directory account configured for delegation. This account must be
configured in the server's Kerberos realm (AD Domain). If servers are from multiple realms, each realm
(AD Domain) must have its own delegation account. This option is required.
account-password
Specifies the password for the delegation account specified in account-name. This option is required.
apm-log-config
Specifies log-setting object to associate with this sso. If this value is empty, logging framework uses
log-setting configuration associated with the access profile where sso is used.
app-service
Specifies the name of the application service to which the object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
headers
Specifies custom HTTP headers to insert into a request. The default value is none. The options are:
app-service
Specifies the name of the application service to which the header belongs. The default value is
none. Note: If the strict-updates option is enabled on the application service that owns the object,
you cannot modify or delete the header. Only the application service can modify or delete the
header.
hname
Specifies the name of a header to add to a request.
hvalue
Specifies the value of a header to add to a request.
kdc Specifies the IP Address or host name of the Kerberos Key Distribution Center (KDC) for the server's
realm. This is normally an Active Directory domain controller. If you leave this empty, the KDC must be
discoverable through DNS, for example, BIG-IP system must be able to fetch SRV records for the server
realm's domain. If the server realm's domain name is different from the server's realm name, you must
specify the server realm's domain name in the /etc/krb5.conf file. Kerberos SSO processing is fastest
when KDC is specified by its IP address, slower when specified by host name, and even slower (due to
additional DNS queries) when left empty. When a user's realm is different from server's realm, the KDC
value must be empty. This is true in cases of cross-realm SSO. The default is none.
location-specific
Specifies whether or not this object contains one or more attributes with values that are specific to the
location where the BIG-IP device resides. The location-specific attribute is either true or false. When
using policy sync, mark an object as location-specific to prevent errors that can occur when policies
reference objects, such as authentication servers, that are specific to a certain location.
[name]
Specifies the name for the SSO Kerberos configuration object. This option is required.
realm
Specifies the realm of application server(s), for example, pool members or portal access resource hosts.
If the servers are located in multiple realms, each realm requires a separate SSO configuration. You must
specify the realm in uppercase letters. The user's realm can be specified through the
session.logon.last.domain session variable, and if this variable is not set, then the user's realm is
assumed to be the same as the server's realm. This option is required.
send-authorization
Specifies when to submit a Kerberos ticket to the application server(s). The ticket is submitted in an
HTTP Authorization header. The header value starts with the word Negotiate, followed by one space and a
base64-encoded GSSIAPI token containing the Kerberos ticket. If a request contains an Authorization
header from the user's browser, it is deleted. The default is always. The options are:
401 The BIG-IP system first forwards the user's HTTP request to the web server without inserting a new
Authorization header; however, the browser's Authorization header is deleted. If the server requests
authentication by responding with a 401 status code, BIG-IP retries the request with the
Authorization header. The Kerberos ticket GSSAPI representation uses the SPNEGO mechanism type (OID
1.3.6.1.5.5.2).
Specifying 401 results in additional BIG-IP/server request round trips in case authentication is
required for the request.
always
The BIG-IP system inserts an Authorization header, including the Kerberos ticket, into every HTTP
request, whether the request requires authentication or not. The Kerberos ticket GSSAPI
representation uses the KRB5 Kerberos 5 mechanism type (OID 1.2.840.113554.1.2.2).
Specifying Always results in the additional overhead of generating a Kerberos token for every
request. This is the default value.
spn-pattern
Specifies how the Service Principal Name (SPN) for the server is constructed. For example,
HTTP/%s@[server realm name configured in the realm option], where %s will be substituted with the
hostname of your server discovered through reverse DNS lookup using the server IP address. Only specify
this option when you need non-standard SPN format. The default is none.
ticket-lifetime
Specifies the lifetime of Kerberos tickets obtained for the user. The value represents the maximum ticket
lifetime. The actual ticket lifetime may be less by up to 1 hour, because a user's ticket lifetime is the
same as the Kerberos Ticket Granting Ticket (TGT) lifetime. A TGT is obtained for the delegation account
specified in this configuration. A new TGT is fetched every time the current TGT is older than one hour.
The new TGT can only be fetched when an SSO request is processed.
The minimum ticket lifetime is 10 minutes. There is no maximum, however, the ticket lifetime of most AD
domains is 10 hours (600 minutes). F5 Networks recommends that you set the ticket lifetime in an SSO
configuration above what is specified in an AD domain. The default is 600 minutes.
upn-support
Enables or disables UPN suffix support for Kerberos SSO when integrating into Microsoft Active Directory
infrastructure. The default is disabled.
user-realm-source
Session variable name from which Kerberos SSO should read the user's realm. The default is
session.logon.last.domain.
username-source
Session variable name from which Kerberos SSO should read the username. The default is
session.sso.token.last.username.
SEE ALSO
basic, form-based,ntlmv1, ntlmv2
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2012. All rights reserved.
BIG-IP 2016-09-15 apm sso kerberos(1)