Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Kerberos AAA login pop-up issue

Folks,

Before posting this question I went through a bunch of posts/articles to fix my issue. Unfortunately, I had to post this anyway to find help to fix my issue!

Here we go!

I have a Virtual server (companyA.example.com:443)

An access policy with a 401 response agent followed by Kerberos Auth agent is assigned to the VIP.

Users are in domain (inside.corp)

AD setup:

A service account is setup on AD server (f5-service-account)

Keytab:

c:>ktpass -princ HTTP/companyA.example.com@INSIDE.CORP -mapuser f5-service-account@INSIDE.CORP -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass somepassword -out c:\temp\krb-sso.keytab

SPN

setspn -U -A HTTP/companyA.example.com f5-service-account

F5 setup

The keytab file is uploaded under Access->AAA->kerberos & auth realm INSIDE.CORP is used.

When tested with APM in debug mode, I found below error in the logs

modules/Authentication/Kerberos/KerberosAuthModule.cpp func: "display_status_1()" line: 91 Msg: 8efe1717 : GSS-API error gss_accept_sec_context: d0000 : Unspecified GSS failure. Minor code may provide more information

From Client side, SSO doesn't work and getting a browser pop-up where i can input the credentials. Entering the creds doesn't work either.

Image Text

APM VPE: Image Text

Any help is greatly appreciated! Thanks in advance!

0
Rate this Question
Comments on this Question
Comment made 1 week ago by Kees van den Bos 767

Are you able to share a screenshot of the AAA->kerberos configuration?

Cheers,

Kees

0
Comment made 1 week ago by PK 681

Hello Kees,

Please see below

Image Text

0
Comment made 1 week ago by Kees van den Bos 767

Is example.com part of the inside.corp domain? And is it in the trusted site list (or intranet site) in internet explorer?

Cheers,

Kees

0
Comment made 1 week ago by PK 681
  1. I don't think example.com is part of inside.corp. Can you elaborate your question?
    users are in inside.corp domain. Basic AD auth works fine (username/password) but not SSO.

  2. yes, example.com is in the trusted list on the users internet explorer.

Here's some more details on the service account:
Image Text

0
Comment made 1 week ago by Kees van den Bos 767

could you test it with HTTP/companyA.inside.corp??

Your pc/laptop is member of the inside.corp domain and not of the example.com domain. Kerberos Auth will only work if the FQDN of the service/website is within the inside.corp domain.

Cheers,

Kees

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The issue was with the encryption type the service account is supporting on the AD server. There was an encryption mismatch between what the service account is negotiating and what the keytab file(arcfour-hmac) is generated with. Fixing it resolved the issue of login pop up.

0