Lab 1: Cert Auth to Kerberos SSO

Task 1 - Setup Lab Environment

To access your dedicated student lab environment, you will require a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Lab Training Portal. The RDP client will be used to connect to the Jump Host, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH).

1. Click DEPLOYMENT located on the top left corner to display the environment

2. Click ACCESS next to jumpohost.f5lab.local

   

3. Select your RDP resolution.

4. The RDP client on your local host establishes a RDP connection to the Jump Host.

5. Login with the following credentials:

   • User: f5lab\user1
   • Password: user1

6. After successful logon the Chrome browser will auto launch opening the site https://portal.f5lab.local. This process usually takes 30 seconds after logon.

7. Click the Classes tab at the top of the page.

   

8. Scroll down the page until you see 306 Per-Session Access Control on the left

   

9. Hover over tile Cert Auth to Kerberos SSOs. A start and stop icon should appear within the tile. Click the Play Button to start the automation to build the environment

10. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

    

Task 2 - Create an OCSP Responder

1. From a browser navigate to https://bigip1.f5lab.local

2. Login with username admin and password admin

   

3. Navigate to Access >> Authentiction >> OCSP Responder >> click the Plus Sign(+).

   

4. Enter the Name cer2kerb-ocsp

5. From the Configuration dropdown menu select Advanced

6. From the Certificate Authority File dropdown menu select ca.f5lab.local

7. Enter the Certifcate Authority Path /ocsp

8. Uncheck Nonce

9. Click Finished

   

Task 3 - Create an LDAP AAA Server

1. Navigate to Access >> Authentiction >> LDAP >> click the Plus Sign(+).

   

2. Enter the Name ldap-servers

3. Enter the Server Pool Name ldap-pool

4. Add the server address 10.1.20.7

5. Enter the Admin DN CN=admin,CN=Users,DC=f5lab,DC=local

6. Enter the Admin Password admin

7. Click Finished

   

Task 4 - Create a Kerberos SSO

1. Navigate to Access >> Single Sign-On >> Kerberos >> click the Plus Sign(+).

   

2. Enter the Name kerb-sso

3. Enter the Kerberos Realm F5LAB.LOCAL

4. Enter the Account Name HOST/cert2kerb.f5lab.local

5. Enter Account Password cert2kerb

6. From the Send Authorization dropdown menu select On 401 Status Code

7. Click Finished

   

Task 5 - Create a per-session policy

1. Navigate to Access >> Profiles/Polcies >> Access Profiles (Per-Session Policies) >> click the Plus Sign(+).

   

2. Enter the Name cert2kerb

3. From the Profile Type dropdown menu select All

   

4. Scroll to the bottom of the New Profile window to the Language Settings

5. Select English from the Factory Built‑in Languages on the right, and click the Double Arrow (<<), then click the Finished button.

   

6. From the Access ‑> Profiles/Policies ‑> Access Profiles (Per‑Session Policies) screen, click the Edit link on the previously created cert2kerb line

   

7. In the Visual Policy Editor window for /Common/cert2kerb, click the Plus (+) Sign between Start and Deny

   

8. In the pop‑up dialog box, select the Authentication tab and then click the Radio Button next to On-Demand Cert Auth

9. Once selected, click the Add Item button

   

10. Leave the Auth Mode the default of request

11. Click Save

    

12. Click the Plus (+) Sign on the Successful branch of the On-demand Cert Auth policy item.

    

13. In the pop‑up dialog box, select the Authentication tab and then click the Radio Button next to OCSP Auth

14. Once selected, click the Add Item button

    

15. Select /Common/cert2kerb-ocsp from the OCSP Responder dropdown menu

16. Click Save

    

17. Click the Plus (+) Sign on the Successful branch of the OCSP Auth policy item.

    

18. In the pop‑up dialog box, select the Assignment tab and then click the Radio Button next to Variable Assign

19. Once selected, click the Add Item button

    

20. Change the name to upn_extract

21. Click Add new entry

22. Click change

    

23. Enter the Custom Variable session.custom.upn

24. Enter the text below for the custom expression

    session.custom.upn = set x509e_fields [split [mcget {session.ssl.cert.x509extension}] "\n"];
    # For each element in the list:
    foreach field $x509e_fields {
    # If the element contains UPN:
    if { $field contains "othername:UPN" } {
    ## set start of UPN variable
    set start [expr {[string first "othername:UPN<" $field] +14}]
    # UPN format is <user@domain>
    # Return the UPN, by finding the index of opening and closing brackets, then use string range to get everything between.
    return [string range $field $start [expr { [string first ">" $field $start] - 1 } ] ];  } }
    #Otherwise return UPN Not Found:
    return "UPN-NOT-FOUND";
    

25. Click Finished

    

26. Click Save

    

27. Click the Plus (+) Sign on the Successful branch of the upn_extract policy item.

    

28. In the pop‑up dialog box, select the Authentication tab and then click the Radio Button next to LDAP Query

29. Once selected, click the Add Item button

    

30. Select /Common/ldap-servers from the Server dropdown menu

31. Enter the SearchDN dc=f5lab,dc=local

32. Enter the SearchFilter (userPrincipalName=%{session.custom.upn})

33. Click Add new entry

34. Enter the Required Attribute sAMAccountName

35. Click Save

    

36. Click Branch Rules

37. Click the x on User Group Membership Line to delete it.

    

38. Click Add Branch Rule

39. Enter the name Query Passed

40. Click change

    

41. Click Add Expression

    

42. From the Context dropdown Menu select LDAP Query

43. From the Condition dropdown Menu select LDAP Query Passed

44. Click Add Expression

    

45. Click Finished

    

46. Click Save

    

47. Click the Plus (+) Sign on the Successful branch of the Query Passed policy item.

    

48. In the pop‑up dialog box, select the Assignment tab and then click the Radio Button next to Variable Assign

49. Once selected, click the Add Item button

    

50. Change the name to set_variables

51. Click Add new entry

52. Click change

    

53. Enter the Custom Variable session.sso.logon.last.username

54. From the dropdown menu on the right column select AAA Attribute

55. Enter the Session Variable session.logon.last.username

56. Click Finished

    

57. Click Add new entry

58. Click change

    

59. Enter the Custom Variable session.logon.last.username

60. From the dropdown menu on the right column select AAA Attribute

61. From the Agent Type dropdown menu select LDAP

62. Enter the LDAP attribute name sAMAccountName

63. Click Finished

    

64. Click Add new entry

65. Click change

    

66. Enter the Custom Variable session.logon.last.domain

67. From the dropdown menu on the right column select Text

68. Enter the Text F5LAB.LOCAL

69. Click Finished

    

70. Click Save

    

71. Click the Deny Terminal on the set_variables fallback branch

    

72. Select Allow

73. Click Save

    

74. Click Apply Policy

    

Task 6 - Create a Client-Side SSL Profile

1. Navigate to Local Traffic >> Profiles >> SSL >> Client >> Click the Plus Sign(+).

   

2. Enter the name cert2kerb-client

3. Select the custom box to the right on the Certificate Key Chain line

4. Click Add

   

5. From the Certificate dropdown menu select acme.com-wildcard

6. From the key dropdown menu select acme.com-wildcard

7. Click Add

   

8. Select the custom box to the right on the Trusted Certificate Authorities line

9. From the Trusted Certificate Authorities dropdown menu ca.f5lab.local

10. Select the custom box to the right on the Advertised Certificate Authorities line

11. From the Advertised Certificate Authorities dropdown menu ca.f5lab.local

12. Click Finished

    

Task 7 - Create a Virtual Server

1. Navigate to Local Traffic >> Virtual Servers >> Virtual Server List >> Click the Plus Sign(+).

   

2. Enter the Name cert2kerb

3. Enter the Destination Address/Mask 10.1.10.100

4. Enter the Service Port Port

   

5. Scroll down to the Configuration Properties Section

6. From the HTTP Profile (Client) dropdown menu select http

7. From the SSL Profile (Client) dropdown menu select cert2kerb-client

8. From the Source Address Translation dropdown menu select Auto Map

   

9. Scroll down to the Access Policy Section

10. From the Access Profile dropdown menu select cert2kerb

    

11. Scroll down to the Resources Section

12. From the Default Pool dropdown menu select cert2kerb-pool

13. Click Finished

    

Task 8 - Test the Configuration

1. From a browser on the jumphost navigate to https://cert2kerb.acme.com

2. Select the certificate user1

3. Click OK

   

4. You are successfully logged into the https://cert2kerb.acme.com website

   

Task 9 - Lab Cleanup

1. From a browser on the jumphost navigate to https://portal.f5lab.local

2. Click the Classes tab at the top of the page.

   

3. Scroll down the page until you see 06 Per-Session Access Control on the left

   

4. Hover over tile Cert Auth to Kerberos SSO. A start and stop icon should appear within the tile. Click the Stop Button to trigger the automation to remove any prebuilt objects from the environment

5. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

   

6. This concludes the lab.