F5 BIG-IP APM - SSO via Kerberos

I’m working lately, and again, a lot with F5 APM. I think, this product has lots of interesting features. For instance, we can use F5 APM for SSL VPN remote access. We can configure a Custom Login Page, we can configure Host Checking, we can configure OTP Authentication. We can configure SSL VPN tunnel with Edge Client or SSL VPN with Portal Access Webtop. In addition, we can use F5 APM for Identity Federation and SSO. For example, we can enable SSO via SAML to applications such as SAP, AWS, Salesforce, etc or even third-party applications. We can also enable SSO via forms based authentication, HTTP authentication, NTLM, Kerberos and OAuth. F5 APM can also work as Citrix ICA Proxy allowing F5 APM to publish Citrix apps. Actually, F5 APM is a full proxy appliance which can be used as a secure access proxy.

These weeks, I’m working on a project to migrate an Apache server to F5 LTM+APM. The aim is to migrate all the configuration from Apache to F5. There are virtual hosts easy to migrate with iRules, Pools and Virtual Servers. However, there are also authentication configurations a little bit more complex to configure and migrate. For instance, SSO is configured via Kerberos in the Apache server. Therefore, users authenticated in the Active Directory can use apps without sign in again.

Apache configuration for Kerberos Authentication

On one hand, I have to configure Basic Authentication for users who haven’t been authenticated yet by the Active Directory. Therefore, F5 APM has to retrieve user credentials (username and password) from a browser. It’s a form-based authentication with an standard login screen. Thereafter, F5 APM populates the username and password session variables in Active Directory. Once users have been authenticated successfully, they can access to apps.

On the other hand, I have to configure Kerberos Authentication for users who have already been authenticated by the Active Directory. With the Kerberos method, the client system must first join a domain and a Kerberos action must follow. Therefore, the client firstly becomes a member and connects to the domain. Secondly, the clients connects to a virtual server on the BIG-IP system. Thirdly, the access policy runs and issues a 401 HTTP request action. Fourthly, if Kerberos is present, the browser forwards the Kerberos ticket along with the request when it receives the 401 HTTP request. Finally, F5 APM validates the Kerberos ticket after the request is received and determines whether or not to permit the request.

How Kerberos end-user logon works

The access policy for Kerberos Authentication with End-User Logons is really easy to configure. We have to add three boxes in the Visual Policy Editor. The first one is an HTTP 401 Response box to request clients credentials. The second one is an AD Auth box for basic authentication. The third one is a Kerberos Auth box for clients who have already been authenticated by Active Directory. Therefore, this last box enables SSO via Kerberos.

Example access policy for end-user login

Thanks my friends!! Are you ready to configure SSO via Kerberos?