Forum Discussion

Rene_Bader_1308's avatar
Rene_Bader_1308
Icon for Nimbostratus rankNimbostratus
Dec 15, 2014
Solved

APM - show Kerberos Tickets

All,

 

I configured APM with a Kerberos Constrained Delegation for Kerberos SSO.

 

This is working so far but for debugging it would be helpfull to list all Kerberos Tickets granted.

 

Is there a Command that would show such entries? I only can see a summary within APM-Log but no details.

 

Thanks

 

René

 

APM
security
TMOS
TMSH
  • Francisco_Tresg's avatar
    Francisco_Tresg
    Jan 04, 2015

    Hi René,

     

    It seems F5 stores the TGTs for Kerberos in different cache files under the "/var/run/krb5cc/*" directory. Once there, depending on your partition set, there should be a different cache file for every user account which has been "delegated".

     

    PATH for kerberos cache files: /var/run/krb5cc/"PartitionName"/"ADAuthServerName"/

     

    For example, in my lab:

     

    "[] config klist /var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_0

     

    Ticket cache: FILE:/var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_0

     

    Default principal: USER1@F5.LAB

     

    Valid starting Expires Service principal

     

    01/04/15 15:39:11 01/05/15 01:39:11 krbtgt/F5.LAB@F5.LAB renew until 01/05/15 15:39:11

     

    01/04/15 15:39:11 01/05/15 01:39:11 ldap/dc1.f5.lab@F5.LAB renew until 01/05/15 15:39:11

     

    [] config klist /var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_1

     

    Ticket cache: FILE:/var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_1

     

    Default principal: USER2@F5.LAB

     

    Valid starting Expires Service principal

     

    01/04/15 15:39:11 01/05/15 01:39:11 krbtgt/F5.LAB@F5.LAB renew until 01/05/15 15:39:11 "

     

9 Replies

Sort By
  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Dec 15, 2014

    Hi Rene,

     

    You can use the klist command via the command prompt to view the tickets.

     

    You can do a "man klist" to find all the options.

     

    -Seth

     

  • Rene_Bader_1308's avatar
    Rene_Bader_1308
    Icon for Nimbostratus rankNimbostratus
    Dec 16, 2014

    Hi Seth,

     

    klist does not show any entries.

     

    But I know that there are some Kerberos Tickets as the APM log shows for example

     

    "Expire thread: TGTlist:1 TGTMap:2 UCClist:4 UCCmap:2"

     

    Thanks

     

    René

     

  • Francisco_Abel_'s avatar
    Francisco_Abel_
    Icon for Nimbostratus rankNimbostratus
    Jan 04, 2015

    Hi René,

     

    It seems F5 stores the TGTs for Kerberos in different cache files under the "/var/run/krb5cc/*" directory. Once there, depending on your partition set, there should be a different cache file for every user account which has been "delegated".

     

    PATH for kerberos cache files: /var/run/krb5cc/"PartitionName"/"ADAuthServerName"/

     

    For example, in my lab:

     

    "[] config klist /var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_0

     

    Ticket cache: FILE:/var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_0

     

    Default principal: USER1@F5.LAB

     

    Valid starting Expires Service principal

     

    01/04/15 15:39:11 01/05/15 01:39:11 krbtgt/F5.LAB@F5.LAB renew until 01/05/15 15:39:11

     

    01/04/15 15:39:11 01/05/15 01:39:11 ldap/dc1.f5.lab@F5.LAB renew until 01/05/15 15:39:11

     

    [] config klist /var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_1

     

    Ticket cache: FILE:/var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_1

     

    Default principal: USER2@F5.LAB

     

    Valid starting Expires Service principal

     

    01/04/15 15:39:11 01/05/15 01:39:11 krbtgt/F5.LAB@F5.LAB renew until 01/05/15 15:39:11 "

     

  • Francisco_Tresg's avatar
    Francisco_Tresg
    Icon for Nimbostratus rankNimbostratus
    Jan 04, 2015

    Hi René,

     

    It seems F5 stores the TGTs for Kerberos in different cache files under the "/var/run/krb5cc/*" directory. Once there, depending on your partition set, there should be a different cache file for every user account which has been "delegated".

     

    PATH for kerberos cache files: /var/run/krb5cc/"PartitionName"/"ADAuthServerName"/

     

    For example, in my lab:

     

    "[] config klist /var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_0

     

    Ticket cache: FILE:/var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_0

     

    Default principal: USER1@F5.LAB

     

    Valid starting Expires Service principal

     

    01/04/15 15:39:11 01/05/15 01:39:11 krbtgt/F5.LAB@F5.LAB renew until 01/05/15 15:39:11

     

    01/04/15 15:39:11 01/05/15 01:39:11 ldap/dc1.f5.lab@F5.LAB renew until 01/05/15 15:39:11

     

    [] config klist /var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_1

     

    Ticket cache: FILE:/var/run/krb5cc/Common/portal_f5_lab_aaa_srvr/krb5cc_1

     

    Default principal: USER2@F5.LAB

     

    Valid starting Expires Service principal

     

    01/04/15 15:39:11 01/05/15 01:39:11 krbtgt/F5.LAB@F5.LAB renew until 01/05/15 15:39:11 "

     

  • Sivasubramaniam's avatar
    Sivasubramaniam
    Icon for Nimbostratus rankNimbostratus
    Jun 20, 2017

    Hi,

     

    I am using F5 APM version 12.1.2 and on this version, I am unable to find any kerberos ticket caches under /var/run/. Has the location changes on this version?

     

    I have a working Kerberos SSO configuration and in /var/log/apm, I can see logs saying that TGTs have been fetched. I want to clear the credentials cache so that all tickets are re-fetched. However, I am unable to find where the kerberos tickets are stored.

     

    Thanks!

     

  • JoeTheFifth's avatar
    JoeTheFifth
    Icon for Altostratus rankAltostratus
    Jan 28, 2018

    I'm using version 12.1.3 in my lab. I just logged to a website using kerberos sso. Klist shows: klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) Apm log shows: Jan 19 11:13:31 F5 debug apmd[6603]: 01490023:7: /Common/CustomPolicy:Common:8b286923: AD module: ENTER Function queryActiveDirectory Jan 19 11:13:31 F5 debug apmd[6603]: 01490111:7: /Common/CustomPolicy:Common:8b286923: AD module: verifyKrb5Cache(): Ticket cache: FILE:/var/run/apmd/krb5cc/Common/labdomain/krb5cc_0 Default principal: labuseracct@labdomain.SVC Jan 19 11:13:31 F5 debug apmd[6603]: 01490111:7: /Common/CustomPolicy:Common:8b286923: AD module: verifyKrb5Cache(): server realm:labdomain.SVC princ realm:labdomain.SVC server data[0]:krbtgt server data[1]:labdomain.SVC curr time: 1516360411 end time: 1516393613 Default principal: labuseracct@labdomain.SVC

     

    I have an encrypted file in the apmd folder. How to get a list of the cached tickets?