APM and Kerberos SSO
Hi,
I'm trying to get SSO with Kerberos working. I have win 2008 domain. I used many many manuals and docs for configuring delegation, but now it's configured according to this: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-2-0/4.html
I've also used this german guide: https://devcentral.f5.com/articles/single-sign-on-mit-kerberos-constrained-delegation https://devcentral.f5.com/articles/single-sign-on-mit-kerberos-constrained-delegation-teil-2-debugging
I'm using Variable Assign for manual assigment of my credentials (username is piotrb).
So as far as I'm concerned I have user in AD with delegation to any service. But in log I see something like this: Kerberos: can't get S4U2Self ticket for user piotrb@CCSDOMAIN.LOCAL - Matching credential not found (-1765328243)
I've been struggling with this 3 days and I ran out of ideas. Could you guide me a little?
Nov 20 19:47:10 cptest_f5 notice tmm1[8723]: 01490500:5: 1fc3b2c4: New session from client IP 10.255.0.35 (ST=/CC=/C=) at VIP 10.39.32.148 Listener /Common/pbr_IIS_NTLMv2 (Reputation=Unknown)
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490006:6: 1fc3b2c4: Following rule 'fallback' from item 'Start' to item 'Variable Assign'
Nov 20 19:47:10 cptest_f5 notice apd[5828]: 01490010:5: 1fc3b2c4: Username 'piotrb'
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490004:6: 1fc3b2c4: Executed agent '/Common/pbr_Access_AD_KRB_only_act_variable_assign_ag', return value 0
Nov 20 19:47:10 cptest_f5 notice apd[5828]: 01490005:5: 1fc3b2c4: Following rule 'fallback' from item 'Variable Assign' to ending 'Allow'
Nov 20 19:47:10 cptest_f5 notice apd[5828]: 01490102:5: 1fc3b2c4: Access policy result: LTM+APM_Mode
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490004:6: 1fc3b2c4: Executed agent '/Common/pbr_Access_AD_KRB_only_end_allow_ag', return value 0
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490007:6: 1fc3b2c4: Session variable 'session.assigned.uuid' set to 'tmm.uuid./Common/pbr_Access_AD_KRB_only.'
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490007:6: 1fc3b2c4: Session variable 'session.logon.last.domain' set to 'ccsdomain.local'
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490007:6: 1fc3b2c4: Session variable 'session.logon.last.username' set to 'piotrb'
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490007:6: 1fc3b2c4: Session variable 'session.logon.page.errorcode' set to '0'
Nov 20 19:47:10 cptest_f5 info apd[5828]: 01490007:6: 1fc3b2c4: Session variable 'session.policy.result' set to 'allow'
Nov 20 19:47:10 cptest_f5 info websso.1[9099]: 014d0011:6: 1fc3b2c4: Websso Kerberos authentication for user 'piotrb' using config '/Common/pbr_SSO_KRB'
Nov 20 19:47:10 cptest_f5 err websso.1[9099]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user piotrb@CCSDOMAIN.LOCAL - Matching credential not found (-1765328243)
Nov 20 19:47:10 cptest_f5 err websso.1[9099]: 014d0024:3: 1fc3b2c4: Kerberos: Failed to get ticket for user piotrb@CCSDOMAIN.LOCAL
Nov 20 19:47:10 cptest_f5 err websso.1[9099]: 014d0048:3: 1fc3b2c4: failure occurred when processing the work item
Nov 20 19:47:15 cptest_f5 notice tmm1[8723]: 01490521:5: 88d285d6: Session statistics - bytes in: 10765, bytes out: 4974
What is more interesting ealier I was getting this error:
Nov 20 18:11:17 cptest_f5 notice tmm1[8723]: 01490500:5: f2807649: New session from client IP 10.255.0.18 (ST=/CC=/C=) at VIP 10.39.32.148 Listener /Common/pbr_IIS_NTLMv2 (Reputation=Unknown)
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490006:6: f2807649: Following rule 'fallback' from item 'Start' to item 'Variable Assign'
Nov 20 18:11:17 cptest_f5 notice apd[5828]: 01490010:5: f2807649: Username 'piotrb'
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490004:6: f2807649: Executed agent '/Common/pbr_Access_AD_KRB_only_act_variable_assign_ag', return value 0
Nov 20 18:11:17 cptest_f5 notice apd[5828]: 01490005:5: f2807649: Following rule 'fallback' from item 'Variable Assign' to ending 'Allow'
Nov 20 18:11:17 cptest_f5 notice apd[5828]: 01490102:5: f2807649: Access policy result: LTM+APM_Mode
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490004:6: f2807649: Executed agent '/Common/pbr_Access_AD_KRB_only_end_allow_ag', return value 0
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490007:6: f2807649: Session variable 'session.assigned.uuid' set to 'tmm.uuid./Common/pbr_Access_AD_KRB_only.'
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490007:6: f2807649: Session variable 'session.logon.last.domain' set to 'ccsdomain.local'
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490007:6: f2807649: Session variable 'session.logon.last.username' set to 'piotrb'
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490007:6: f2807649: Session variable 'session.logon.page.errorcode' set to '0'
Nov 20 18:11:17 cptest_f5 info apd[5828]: 01490007:6: f2807649: Session variable 'session.policy.result' set to 'allow'
Nov 20 18:11:17 cptest_f5 info websso.1[9099]: 014d0011:6: f2807649: Websso Kerberos authentication for user 'piotrb' using config '/Common/pbr_SSO_KRB'
Nov 20 18:11:17 cptest_f5 err websso.1[9099]: 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/dcccsserver.ccsdomain.local@CCSDOMAIN.LOCAL - Requesting ticket can't get forwardable tickets (-1765328163)
Nov 20 18:11:17 cptest_f5 err websso.1[9099]: 014d0024:3: f2807649: Kerberos: Failed to get ticket for user piotrb@CCSDOMAIN.LOCAL
Nov 20 18:11:17 cptest_f5 err websso.1[9099]: 014d0048:3: f2807649: failure occurred when processing the work item
Nov 20 18:11:45 cptest_f5 notice tmm[8723]: 01490521:5: 8df51236: Session statistics - bytes in: 1091, bytes out: 2024
But it was not working any way. I know that F5 is trying to get this tickets, but I don't know why it isn't getting ones.
Regards, Piotr Bratkowski