To create a Kerberos SSO, I use the following commands:
Powershell commands on AD
New-ADUser -Name "APM Delegation Account" -UserPrincipalName svc_f5_krb@demo.local -SamAccountName "svc_f5_krb" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)
# Add SPN attribute to account (same as setspn command)
Set-AdUser -Identity svc_f5_krb -ServicePrincipalNames @{Add="host/svc_f5_krb.demo.local"}
#Assign the delegation right to the site app1.demo.local
Get-AdUser -Identity svc_f5_krb | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="http/app1.demo.local"}
# Change delegation right to mode : Trust this user for delegation to specific service only / Use any authentication Protocol
Set-ADAccountControl -Identity svc_f5_krb -TrustedForDelegation $false
Set-ADAccountControl -Identity svc_f5_krb -TrustedToAuthForDelegation $true
BigIP tmsh commands
# SPN discovered by reverse DNS lookup of pool member IP
create apm sso kerberos SSO_KRB_machine { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.1.250 realm DEMO.LOCAL user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }
Or
# SPN is request Host header value
create apm sso kerberos SSO_KRB_AppPool { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.1.250 realm DEMO.LOCAL spn-pattern HTTP/%h user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }
If kerberos is configured in multi domain forest, username format must be host/svc_f5_krb.demo.local