Before posting this question I went through a bunch of posts/articles to fix my issue. Unfortunately, I had to post this anyway to find help to fix my issue!
Here we go!
I have a Virtual server (companyA.example.com:443)
An access policy with a 401 response agent followed by Kerberos Auth agent is assigned to the VIP.
Users are in domain (inside.corp)
A service account is setup on AD server (f5-service-account)
c:>ktpass -princ HTTP/companyA.example.com@INSIDE.CORP -mapuser f5-service-account@INSIDE.CORP -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass somepassword -out c:\temp\krb-sso.keytab
setspn -U -A HTTP/companyA.example.com f5-service-account
The keytab file is uploaded under Access->AAA->kerberos & auth realm INSIDE.CORP is used.
When tested with APM in debug mode, I found below error in the logs
modules/Authentication/Kerberos/KerberosAuthModule.cpp func: "display_status_1()" line: 91 Msg: 8efe1717 : GSS-API error gss_accept_sec_context: d0000 : Unspecified GSS failure. Minor code may provide more information
From Client side, SSO doesn't work and getting a browser pop-up where i can input the credentials. Entering the creds doesn't work either.
Any help is greatly appreciated! Thanks in advance!
Are you able to share a screenshot of the AAA->kerberos configuration?
Please see below
Is example.com part of the inside.corp domain? And is it in the trusted site list (or intranet site) in internet explorer?
I don't think example.com is part of inside.corp. Can you elaborate your question?
users are in inside.corp domain. Basic AD auth works fine (username/password) but not SSO.
yes, example.com is in the trusted list on the users internet explorer.
Here's some more details on the service account:
could you test it with HTTP/companyA.inside.corp??
Your pc/laptop is member of the inside.corp domain and not of the example.com domain. Kerberos Auth will only work if the FQDN of the service/website is within the inside.corp domain.
The issue was with the encryption type the service account is supporting on the AD server. There was an encryption mismatch between what the service account is negotiating and what the keytab file(arcfour-hmac) is generated with. Fixing it resolved the issue of login pop up.