AAM Kerberos Relay Integration with SharePoint



Similar documents
Setting Up a Kerberos Relay for the Microsoft Exchange 2013 Server DEPLOYMENT GUIDE

SSL Insight Certificate Installation Guide

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

SAML 2.0 SSO Deployment with Okta

Achieve Single Sign-on (SSO) for Microsoft ADFS

VMware View 5.0 and Horizon View 6.0 DEPLOYMENT GUIDE

Thunder ADC for Epic Systems

APPLICATION ACCESS MANAGEMENT (AAM) Augment, Offload and Consolidate Access Control

Microsoft Exchange 2016 DEPLOYMENT GUIDE

A10 Networks LBaaS Driver for Thunder and AX Series Appliances

A10 Device Package for Cisco Application Centric Infrastructure (ACI)

Thunder Series for SAP BusinessObjects (BOE)

PCI DSS and the A10 Solution

SharePoint SAML-based Claims Authentication with A10 Thunder ADC

Thunder Series for SAP Customer Relationship Management (CRM)

Thunder ADC for SAP Business Suite DEPLOYMENT GUIDE

Load Balancing Security Gateways WHITE PAPER

SSL Insight and Cisco FirePOWER Deployment Guide DEPLOYMENT GUIDE

Outlook Web Access (OWA) WS-Federation SSO with A10 Thunder Series

Healthcare Security and HIPAA Compliance with A10

Microsoft Exchange 2013 DEPLOYMENT GUIDE

Deployment Guide AX Series with Citrix XenApp 6.5

Deployment Guide AX Series with Active Directory Federation Services 2.0 and Office 365

Deployment Guide Oracle Siebel CRM

Deployment Guide Microsoft IIS 7.0

Deployment Guide MobileIron Sentry

Deployment Guide AX Series with Microsoft Windows Server 2008 Terminal Services

A10 ADC Return On Investment

Deployment Guide. AX Series with Microsoft Office SharePoint Server

Deployment Guide. AX Series with Oracle Application Server

Deployment Guide Microsoft Exchange 2013

A10 Thunder and AX Series

Deployment Guide. AX Series with Microsoft Exchange Server

Deployment Guide. AX Series with Microsoft Office Communications Server

Avoid Microsoft Lync Deployment Pitfalls with A10 Thunder ADC

INSTALLATION GUIDE. A10 Thunder TM Series vthunder for AWS

Deployment Guide. AX Series with Juniper Networks SA Series SSL-VPN Appliances Solution

VALIDATING DDoS THREAT PROTECTION

AX Series with Microsoft Exchange Server 2010

Advanced Core Operating System (ACOS): Experience the Performance

Configuring and Implementing A10

Deploying F5 to Replace Microsoft TMG or ISA Server

AX Series with Microsoft Exchange Server 2010

Deployment Guide July-2014 rev. a. Deploying Array Networks APV Series Application Delivery Controllers with Oracle WebLogic 12c

Uncover Threats in SSL Traffic: The Ultimate Guide to SSL Inspection WHITE PAPER

Dynamic L4-L7 Service Insertion with Cisco ACI and A10 Thunder ADC REFERENCE ARCHITECTURE

How To Use Netscaler As An Afs Proxy

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing

SharePoint Performance Optimization

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Sample Configuration: Cisco UCS, LDAP and Active Directory

User Identification and Authentication

Security Provider Integration Kerberos Authentication

Technical Brief ActiveSync Configuration for WatchGuard SSL 100

Security Overview and Cisco ACE Replacement

Load Balancing Microsoft Sharepoint 2010 Load Balancing Microsoft Sharepoint Deployment Guide

Deploying the BIG-IP System v11 with Microsoft Exchange 2010 and 2013 Client Access Servers

CA Performance Center

VMware Identity Manager Administration

White Paper A10 Thunder and AX Series Application Delivery Controllers and the A10 Advantage

Two Factor Authentication in SonicOS

Thunder ADC: 10 Reasons to Select A10 WHITE PAPER

Deployment Guide May-2015 rev. a. APV Oracle PeopleSoft Enterprise 9 Deployment Guide

Deploying F5 with IBM Tivoli Maximo Asset Management

Deployment Guide July-2015 rev. A. Deploying Array Networks APV Series Application Delivery Controllers with VMware Horizon View

vrealize Automation Load Balancing

PingFederate. IWA Integration Kit. User Guide. Version 3.0

PingFederate. IWA Integration Kit. User Guide. Version 2.6

Load Balancing Microsoft AD FS. Deployment Guide

bbc Adobe LiveCycle Data Services Using the F5 BIG-IP LTM Introduction APPLIES TO CONTENTS

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services

Deployment Guide AX Series for Palo Alto Networks SSL Intercept and Firewall Load Balancing

Thunder ADC for SSL Insight and Load Balancing DEPLOYMENT GUIDE

Configuring Kerberos Constrained Delegation

Optimize Enterprise Application Availability, Security and Responsiveness

Introduction to Mobile Access Gateway Installation

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Microsoft SharePoint 2010 Deployment with Coyote Point Equalizer

Deployment Guide Jan-2016 rev. a. Deploying Array Networks APV Series Application Delivery Controllers with Oracle WebLogic 12c

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

NETASQ ACTIVE DIRECTORY INTEGRATION

Single Sign On for ShareFile with NetScaler. Deployment Guide

Dell Compellent Storage Center

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

v7.8.2 Release Notes for Websense Content Gateway

Deploying the BIG-IP System v11 with LDAP Servers

Deploying F5 with Microsoft Forefront Threat Management Gateway 2010

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

How To Install A Citrix Netscaler On A Pc Or Mac Or Ipad (For A Web Browser) With A Certificate Certificate (For An Ipad) On A Netscaler (For Windows) With An Ipro (For

Thunder Series with Microsoft Lync Server 2013 for Reverse Proxy Deployments DEPLOYMENT GUIDE

Load Balancing VMware Horizon View. Deployment Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

EE Easy CramBible Lab DEMO ONLY VERSION EE F5 Big-Ip v9 Local Traffic Management

A10 Thunder TPS Hybrid DDoS Protection Deployment with Verisign OpenHybrid

VMware Identity Manager Connector Installation and Configuration

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Deploying the BIG-IP System for Microsoft Application Virtualization

Implementing PCoIP Proxy as a Security Server/Access Point Alternative

Transcription:

DEPLOYMENT GUIDE AAM Kerberos Relay Integration with SharePoint How to Deploy A10 Thunder ADC s AAM Feature in a SharePoint Environment Using Kerberos Relay Authentication

Table of Contents Overview...3 Deployment Prerequisites...3 The A10 Networks AAM Kerberos Relay Solution...4 Configuration Section...4 Authentication Logon...4 Configuring the AAM Authentication Logon...4 Virtual Server, Virtual Port and Server Configuration...7 Summary...9 Appendix:...10 Complete Configuration...10 About A10 Networks...11 Disclaimer This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided as-is. The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks products and services are subject to A10 Networks standard terms and conditions. 2

Overview This document provides a detailed guide on how to deploy Kerberos Relay with Microsoft SharePoint, showing how the LDAP or RADIUS authentication protocol can be used for the Kerberos authentication process. User credentials are provisioned within the Active Directory and clients authenticate to A10 Networks Thunder ADC line of Application Delivery Controllers. After the client authentication to the Thunder ADC appliance is complete, Thunder ADC obtains a client s username, receives ticket information from the Kerberos server, and allows the client traffic to pass to the backend/application servers. In A10 Networks Advanced Core Operating System (ACOS ) release 4.0, there is a new service group type introduced in the Application Access Management (AAM) module which is designed for authentication purposes. This feature allows ACOS to load balance and manage multiple Key Distribution Center (KDCs). KDC works in conjunction with Active Directory (AD) and it provides session tickets and temporary keys to users and computers within an AD domain. Consequently, the primary Kerberos server s purpose is to handle all authentication relay processing; the secondary server can be used as a backup or to support scalability to ensure the continuous availability of authentication services. In a multiple KDC environment, you can only use an AAM service group that provides the round robin loadbalancing algorithm. Authentication servers within the service group pool can also be given priority based on priority levels. The server with the higher priority number is the first authentication server to take a request. If authentication servers have the same priority number, then the round robin algorithm will determine the rotation. Subsequent Requests to Same Ports (80, 5555, or 443) HTTP Request Service Tickets (ST) 4 HTTP Reply 5 1 Server Reply 6 A10 Thunder ADC 2 Web Server 192.0.2.100 Kerberos: Ticket Request 3 Ticket to Get Tickets (TGT), ST Kerberos KDC 1 192.0.2.150:778 Kerberos KDC 2 192.0.2.151:778 Authentication Service Group Deployment Prerequisites Client requirements: Figure 1: Kerberos Relay authentication process Browser: The latest versions of Internet Explorer 11 or higher, Mozilla version 38 or higher, or Chrome 22 or higher ACOS requirements: 4.0.1 Px or higher Application requirements: SharePoint Server 2010 or 2013 with the latest updates 3

The A10 Networks AAM Kerberos Relay Solution In ACOS release 4.0 introduces a new set of features within the AAM module. Designed for authentication purposes, this feature allows ACOS to load balance and manage multiple KDCs, which provide session tickets and temporary keys to users and computers within an Active Directory domain. Consequently, the primary Kerberos server s purpose is to handle all authentication relay processing; the secondary server can be used as a backup or to support scalability to ensure the continuous availability of authentication services. This integrated solution simplifies network authentication by using the A10 device as an authentication proxy. It offloads web and authentication servers, and it enables A10 Thunder ADC to handle the sending and initial processing of authentication challenges, forwarding credentials to SAML IdP and granting access. Configuration Section This section provides detailed CLI and GUI instructions on how to configure Kerberos Relay, and you will be tasked with creating the following configuration to support the A10 and SharePoint integration: Authentication logon Authentication server Authentication relay Authentication template AAA policy Service-principal name configured within the server port configuration Note: For details on what these features are used for, please refer to the ACOS 4.x documentation for detailed information. Authentication Logon Configuring the AAM Authentication Logon CLI Sample Configuration: aam authentication logon http-authenticate hbasic auth-method basic enable GUI Sample Configuration: Navigate to AAM > Auth Client > click Create Enter the Name of the Authentication Logon: hbasic Max Number of Retries: 3 Check the Enable Basic Logon option 4

CLI Sample Configuration: aam authentication server ldap ldap_serv host 192.0.2.150 base cn=users,dc=a10lab,dc=com admin-dn cn=administrator,cn=users,dc=a10lab,dc=com admin-secret ****** default-domain a10lab GUI Sample Configuration: CLI Sample Configuration: aam authentication relay kerberos kerberos-relay kerberos-realm A10LAB.COM kerberos-kdc 192.0.2.150 kerberos-account ax/cdpt password A10123GUI Sample Configuration: Navigate to AAM > Auth relay > Kerberos CLI Sample Configuration: aam authentication template kerberos-tmpl logon hbasic relay kerberos-relay server ldap_serv 5

CLI Sample Configuration: aam aaa-policy kerb-relay aaa-rule 1 action allow authentication-template kerberos-tmpl GUI Sample Configuration: The policy can be defined as allow or deny. The index has to be configured as a unique number. End state should look like this after the AAA Policy and AAA Rules are created. End state should look like this after the AAA Policy and AAA Rules are created. 6

Virtual Server, Virtual Port and Server Configuration This section of the deployment provides a compound configuration for the virtual IP (VIP) address, virtual port, service group and server configuration. SharePoint requires three important ports to work properly: 443, 80 and 5555, which is an optional SharePoint Central Administration Web Application port. Note: The SharePoint Central Administration Web Application 5555 port is a non-standard configuration and administrators should choose the port they prefer for ease of management. With the three ports provided, these ports must be provisioned in the server and grouped in a pool using a service-group. Service Group Configuration: slb service-group mywsu-sg-443 tcp member sptest1 443! slb service-group mywsu-sg-80 tcp member sptest1 80! slb service-group mywsu-sg-5555 tcp member sptest1 5555 Once the servers and service-groups have been defined, configure the VIP with an IP address and virtual services and bind the AAA policy to the virtual services for port 80, 443 and 5555. Follow the sample configuration below and note that the configuration provided can also include client or server SSL for additional security. Refer to other SharePoint deployment guides for additional information regarding SharePoint security. Virtual Server Configuration: slb virtual-server sharepoint-vs 192.0.2.234 port 80 https service-group mywsu-sg-80 port 443 https service-group mywsu-sg-443 port 5555 https service-group mywsu-sg-5555 slb server sptest1 192.0.2.100 port 80 tcp service-principal-name HTTP/sptest1.a10lab.com port 443 tcp service-principal-name HTTPS/sptest1ssl.a10lab.com port 5555 tcp service-principal-name HTTP/sptest1.a10lab.com 7

Useful Commands When Validating Kerberos-Relay Deployments: 1. Check auth stats info: AAM-SI-1#show aam authentication statistics sec kerberos ------------------------------------------------------------------------------ -------- \ statistic Request Request Response Response Response Response Response Type\ Normal Dropped Success Failure Error Timeout Other ------------------------------------------------------------------------------ -------- OCSP 0 0 0 0 0 0 0 RADIUS 0 0 0 0 0 0 0 LDAP 0 0 0 0 0 0 0 Windows-KERBEROS 18 0 8 10 0 0 0 Windows-NTLM-SMB 0 0 0 0 0 0 0 KERBEROS-RELAY 20 0 20 0 0 0 0 OCSP-STAPLING 0 0 0 0 0 0 0 SPN-KERBEROS 0 0 0 0 0 0 0 ------------------------------------------------------------------------------ -------- kerberos request send: 35 kerberos response get: 35 kerberos-relay request send: 20 kerberos-relay response get: 20 SPN kerberos request: 0 SPN kerberos response success: 0 SPN kerberos response failure: 0 AAM-SI-1# 2. Check auth-server stats info: AAM-SI-1# show aam authentication statistics windows-kerberos Name Request Response Timeout Other-Err ----------------------------------------------- dy-as-kdc-auth-relay 35 35 0 0 3. Check kerberos-relay stats info: kerberos-relay request send: 20 kerberos-relay response get: 20 Timeout error: 0 Job start error: 0 Polling control error: 0 Other error: 0 kerberos Authentication-relay name: dy-kdc-relay Kerberos request send: 20 Kerberos response receive: 20 Current requets of user: 0 Kerberos tickets: 3 8

4. Check kerberos tickets info: AAM-SI-1#show aam authentication klist ----------------------- Ticket cache: MEMORY:dy-kdc-relay Default principal: HTTP/ sptest1.a10lab @example.com Service principal: HTTP/win-g1n4q4dh483@example.com Client principal: client@example.com timespan: 18:03 10,May,2015-03:58 11,Dec,2014 renew untill: 17:58 17,May,2015 flags: FRA Service principal: HTTP/ sptest1.a10lab @ example.com Client principal: client@ example.com timespan: 17:58 10,May,2015-03:58 11,May,2015 renew untill: 17:58 17,May,2015 flags: FRA Service principal: krbtgt/ example.com@example.com Client principal: HTTP/ sptest1.a10lab @example.com timespan: 17:58 10,May,2015-03:58 11,May,2015 renew untill: 17:58 17,May,2015 flags: FRIA Note: The Kerberos tickets on Thunder ADC will be cached for 10 hours and every different Kerberos Relay profile will generate and cache its own tickets. You can use the clear aam authentication kcache command to clear all tickets on the Thunder ADC device. Thunder ADC must have the same time/clock as the Kerberos server. Clock setting differences may cause the kerberos-auth to fail. If kerberos-auth keeps failing even when the clock settings are the same, check and make sure username and password are correct. Summary In summary, the configuration steps described in this deployment guide show how to set up Thunder ADC AAM integration with Kerberos Relay in the Microsoft SharePoint application. With ACOS 4.0, Thunder ADC can provide a wide array of authentication server capabilities which include LDAP, AD, NT LAN Manager (NTLM), Kerberos and SAML 2.0 options. This integrated solution provides the following benefits: Minimizes the overwhelming nature of user interactions with traditional AAA servers Simplifies network authentication by using the A10 device as an authentication proxy Offloads web and authentication servers Enables A10 Thunder ADC to handle the sending and initial processing of authentication challenges, forwarding credentials to SAML IdP and granting access By using Thunder ADC, significant benefits are achieved for all authentication deployments. For more information about A10 Thunder ADC products, please refer to the following URLs: https://www.a10networks.com/products/thunder-series/thunder-adc http://www.a10networks.com/products/application_delivery_controllers.php 9

Appendix: Complete Configuration aam authentication logon http-authenticate hbasic auth-method basic enable aam authentication server ldap ldap_serv host 192.0.2.150 base cn=users,dc=a10lab,dc=com admin-dn cn=administrator,cn=users,dc=a10lab,dc=com admin-secret ***** default-domain a10lab aam authentication relay kerberos kerberos-relay kerberos-realm A10LAB.COM kerberos-kdc 192.0.2.150 kerberos-account ax/cdpt password ****** slb server sptest1 192.0.2.100 port 80 tcp service-principal-name HTTP/sptest1.a10lab.com port 443 tcp service-principal-name HTTPS/sptest1ssl.a10lab.com port 8888 tcp service-principal-name HTTP/sptest1.a10lab.com aam authentication template kerberos-tmpl logon hbasic relay kerberos-relay server ldap_serv aam aaa-policy kerb-relay aaa-rule 1 action allow authentication-template kerberos-tmpl slb service-group mywsu-sg-443 tcp member sptest1 443! slb service-group mywsu-sg-80 tcp member sptest1 80! slb service-group mywsu-sg-5555 tcp member sptest1 5555 slb virtual-server sharepoint-vs 192.0.2.234 port 80 https service-group mywsu-sg-80 template client-ssl cssl port 443 https 10

service-group mywsu-sg-443 template server-ssl s1 template client-ssl cssl port 8888 https service-group mywsu-sg-5555 template client-ssl cssl About A10 Networks A10 Networks is a leader in application networking, providing a range of high-performance application networking solutions that help organizations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, California, and serves customers globally with offices worldwide. For more information, visit: www.a10networks.com Corporate Headquarters A10 Networks, Inc 3 West Plumeria Ave. San Jose, CA 95134 USA Tel: +1 408 325-8668 Fax: +1 408 325-8666 www.a10networks.com Part Number: A10-DG-16151-EN-01 July 2015 Worldwide Offices North America sales@a10networks.com Europe emea_sales@a10networks.com South America latam_sales@a10networks.com Japan jinfo@a10networks.com China china_sales@a10networks.com Hong Kong HongKong@a10networks.com Taiwan taiwan@a10networks.com Korea korea@a10networks.com South Asia SouthAsia@a10networks.com Australia/New Zealand anz_sales@a10networks.com To learn more about the A10 Thunder Application Service Gateways and how it can enhance your business, contact A10 Networks at: www.a10networks.com/contact or call to talk to an A10 sales representative. 2015 A10 Networks, Inc. All rights reserved. The A10 logo, A10 Harmony, A10 Lightning, A10 Networks, A10 Thunder, acloud, ACOS, ACOS Policy Engine, Affinity, aflex, aflow, agalaxy, avcs, AX, axapi, IDaccess, IDsentrie, IP-to-ID, SSL Insight, Thunder, Thunder TPS, UASG, and vthunder are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information