Forum Discussion

Piotr_Bratkowsk's avatar
Piotr_Bratkowsk
Icon for Nimbostratus rankNimbostratus
Nov 20, 2013

APM and Kerberos SSO

Hi,

I'm trying to get SSO with Kerberos working. I have win 2008 domain. I used many many manuals and docs for configuring delegation, but now it's configured according to this: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-2-0/4.html

I've also used this german guide: https://devcentral.f5.com/articles/single-sign-on-mit-kerberos-constrained-delegation https://devcentral.f5.com/articles/single-sign-on-mit-kerberos-constrained-delegation-teil-2-debugging

I'm using Variable Assign for manual assigment of my credentials (username is piotrb).

So as far as I'm concerned I have user in AD with delegation to any service. But in log I see something like this: Kerberos: can't get S4U2Self ticket for user piotrb@CCSDOMAIN.LOCAL - Matching credential not found (-1765328243)

I've been struggling with this 3 days and I ran out of ideas. Could you guide me a little?

Nov 20 19:47:10 cptest_f5 notice tmm1[8723]: 01490500:5: 1fc3b2c4: New session from client IP 10.255.0.35 (ST=/CC=/C=) at VIP 10.39.32.148 Listener /Common/pbr_IIS_NTLMv2 (Reputation=Unknown)
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490006:6: 1fc3b2c4: Following rule 'fallback' from item 'Start' to item 'Variable Assign'
Nov 20 19:47:10 cptest_f5 notice apd[5828]: 01490010:5: 1fc3b2c4: Username 'piotrb'
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490004:6: 1fc3b2c4: Executed agent '/Common/pbr_Access_AD_KRB_only_act_variable_assign_ag', return value 0
Nov 20 19:47:10 cptest_f5 notice apd[5828]: 01490005:5: 1fc3b2c4: Following rule 'fallback' from item 'Variable Assign' to ending 'Allow'
Nov 20 19:47:10 cptest_f5 notice apd[5828]: 01490102:5: 1fc3b2c4: Access policy result: LTM+APM_Mode
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490004:6: 1fc3b2c4: Executed agent '/Common/pbr_Access_AD_KRB_only_end_allow_ag', return value 0
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490007:6: 1fc3b2c4: Session variable 'session.assigned.uuid' set to 'tmm.uuid./Common/pbr_Access_AD_KRB_only.'
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490007:6: 1fc3b2c4: Session variable 'session.logon.last.domain' set to 'ccsdomain.local'
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490007:6: 1fc3b2c4: Session variable 'session.logon.last.username' set to 'piotrb'
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490007:6: 1fc3b2c4: Session variable 'session.logon.page.errorcode' set to '0'
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490007:6: 1fc3b2c4: Session variable 'session.policy.result' set to 'allow'
Nov 20 19:47:10 cptest_f5 info websso.1[9099]: 014d0011:6: 1fc3b2c4: Websso Kerberos authentication for user 'piotrb' using config '/Common/pbr_SSO_KRB'
Nov 20 19:47:10 cptest_f5 err websso.1[9099]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user piotrb@CCSDOMAIN.LOCAL - Matching credential not found (-1765328243)
Nov 20 19:47:10 cptest_f5 err websso.1[9099]: 014d0024:3: 1fc3b2c4: Kerberos: Failed to get ticket for user piotrb@CCSDOMAIN.LOCAL
Nov 20 19:47:10 cptest_f5 err websso.1[9099]: 014d0048:3: 1fc3b2c4: failure occurred when processing the work item
Nov 20 19:47:15 cptest_f5 notice tmm1[8723]: 01490521:5: 88d285d6: Session statistics - bytes in: 10765, bytes out: 4974

What is more interesting ealier I was getting this error:

Nov 20 18:11:17 cptest_f5 notice tmm1[8723]: 01490500:5: f2807649: New session from client IP 10.255.0.18 (ST=/CC=/C=) at VIP 10.39.32.148 Listener /Common/pbr_IIS_NTLMv2 (Reputation=Unknown)
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490006:6: f2807649: Following rule 'fallback' from item 'Start' to item 'Variable Assign'
Nov 20 18:11:17 cptest_f5 notice apd[5828]: 01490010:5: f2807649: Username 'piotrb'
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490004:6: f2807649: Executed agent '/Common/pbr_Access_AD_KRB_only_act_variable_assign_ag', return value 0
Nov 20 18:11:17 cptest_f5 notice apd[5828]: 01490005:5: f2807649: Following rule 'fallback' from item 'Variable Assign' to ending 'Allow'
Nov 20 18:11:17 cptest_f5 notice apd[5828]: 01490102:5: f2807649: Access policy result: LTM+APM_Mode
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490004:6: f2807649: Executed agent '/Common/pbr_Access_AD_KRB_only_end_allow_ag', return value 0
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490007:6: f2807649: Session variable 'session.assigned.uuid' set to 'tmm.uuid./Common/pbr_Access_AD_KRB_only.'
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490007:6: f2807649: Session variable 'session.logon.last.domain' set to 'ccsdomain.local'
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490007:6: f2807649: Session variable 'session.logon.last.username' set to 'piotrb'
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490007:6: f2807649: Session variable 'session.logon.page.errorcode' set to '0'
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490007:6: f2807649: Session variable 'session.policy.result' set to 'allow'
Nov 20 18:11:17 cptest_f5 info websso.1[9099]: 014d0011:6: f2807649: Websso Kerberos authentication for user 'piotrb' using config '/Common/pbr_SSO_KRB'
Nov 20 18:11:17 cptest_f5 err websso.1[9099]: 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/dcccsserver.ccsdomain.local@CCSDOMAIN.LOCAL - Requesting ticket can't get forwardable tickets (-1765328163)
Nov 20 18:11:17 cptest_f5 err websso.1[9099]: 014d0024:3: f2807649: Kerberos: Failed to get ticket for user piotrb@CCSDOMAIN.LOCAL
Nov 20 18:11:17 cptest_f5 err websso.1[9099]: 014d0048:3: f2807649: failure occurred when processing the work item
Nov 20 18:11:45 cptest_f5 notice tmm[8723]: 01490521:5: 8df51236: Session statistics - bytes in: 1091, bytes out: 2024

But it was not working any way. I know that F5 is trying to get this tickets, but I don't know why it isn't getting ones.

Regards, Piotr Bratkowski

1 Reply

  • Piotr,

     

    Couple of things - first, turn up SSO log level to debug, it should tell you a lot more info about what is going on with Kerberos. I would venture a guess at this point that your delegation might not be setup properly in AD, or DNS is not setup(APM performs reverse DNS lookup on the IP address of the server to determine which SPN we need to get a ticket for), but debug logs should be able to tell the story better