4 Replies Latest reply on Feb 17, 2014 1:29 PM by firemtn

    MWG behind F5 LTM withKerberos




      I've been testing a virtual MWG behind a F5 LTM using Kerberos.  I added a SPN for the FQDN that pointed to the LTM VS IP address.  I also had a test service account that I used to generate the keytab file (per the excellent article https://community.mcafee.com/docs/DOC-2682).  All was well.  I could configure IE to refer to the phyiscal FQDN for the MWG, or to the FQDN of the LTM VS.


      Since then I've purchased a pair of physical MWG servers.  I clustered them with the "older" Virtual Edition and started at the Kerberos setup.  I created 3 new service accounts (one for each node) and generated 3 keytab files, I'm not sure that is how it should be done, but is seemed logical.   I deleted the SPN attribute on the test service account.  I'm not really sure how I should proceed from here.


      Should I add the LTM's SPN to each service account, or just add it to one and merge the other keytabs into one (shared amongst the MWG servers)?  I've tried the former, it didn't work for the LTM name, but worked fine for the local hosts.  It looks like the version is different between the MWG keytabs and what is on AD (the version numbers are different). 


      IOW, how should Kerberos be setup for a LTM pool, where all the pool memberts are expected to be able to authenticate users by way of the SPN of the LTM VS (as well as each individual node to facilitate testing)?  Here is a diagram, in case that helps:

      2-6-2014 2-36-32 PM.png


      Any help is much appreciated.




        • 1. Re: MWG behind F5 LTM withKerberos

          Let me try to provide a simplified view of kerberos.


          1) The client is asked to auth via kerberos

          2) The client's browser first checks that the site is trusted, because you don't want to do kerberos to any site that asks.

          3) Assuming the site is trusted, the browser will request a ticket from the KDC (domain controller) for the service (HTTP) and address of the gateway that matches the URL it used to reach the server. typically this is the FQDN of the gateway.

          4) KDC issues a ticket to the client for the SPN (Service + address).

          5) client offers the ticket to the gateway

          6) The gateway verifies the ticket using the keytab. It finds the correct key for verification by matching the SPN in the offered ticket.



          So that should answer your questions. 


          You need to set a SPN on the KDC which matches what clients will be asking for.

          Clients use the address in the auth request url (proxy fqdn)  You shouldn't need to set a SPN for the LTM because the SPN only needs to match what the client thinks they are talking to.

          The keytab file on the gateway needs to have an SPN matching what the clients are offering in the tickets.


          You can use packet captures on the client during auth for troubleshooting.

          1 of 1 people found this helpful
          • 2. Re: MWG behind F5 LTM withKerberos

            Thanks for the reply sroering,


            My question has to do with how the keytab(s) should be setup.  I have 3 mwg nodes.  I generated 3 keytabs using three different AD accounts.  I added (via setspn) HTTP/mwg.mydomain.local to each keytab.  All the user (or client) browser proxy configs will point to mwg.mydomain.local, and that FQDN resolves to an IP address hosted by a VS on the LTM. I loaded the keytabs into the kerberos config on each node.  Is that the way I should do it?  It doesn't appear to be working, so I wanted to validate the approach.


            An alternative might be to create one keytab file and add an spn for each additional node along with the common one that resolves to the VS on the LTM.


            Anyone else using kerberos behind a load balancer?  How did you configure kerberos on the nodes?




            • 3. Re: MWG behind F5 LTM withKerberos

              If all of your clients think they are talking to mwg.mydomain.local, then you should only need one SPN for HTTP/mwg.mydomain.local@MYDOMAIN.LOCAL, and one keytab copied to each MWG.

              • 4. Re: MWG behind F5 LTM withKerberos

                Thanks to all who replied.


                What I ended up doing was generate a single keytab and added each node as an spn.  So now I can point users to the LTM frontend w/ a generic spn and still point to specific nodes for troubleshooting.