Forum Discussion

pushkar_misra_2's avatar
pushkar_misra_2
Icon for Altocumulus rankAltocumulus
Mar 08, 2017

Kerberose can't get get user ticket, KDC not seeing any traffic from APM

Kerberose can't get get user ticket.

 

We are getting the error Kerberos cant get user ticket, client not found in database.

 

We are using constrained delgation 1. Where we have a service accoutn name as HOST/ 2. We are delegating the SPN HTTP/poc.abc.com on it. Constrained delegation is added. 3. We are using Account name in SSO profile as HOST/test.abc.com@ABC.COM 4. Realm ABC.COM

 

KDC filed is blank and KDC and realm are specified statically in the KRB5.CONF file.

 

While checking we are not even seeing the hits on mentioned KDC from F5 for kerberos ticket.

 

But when I do a general check for the account test.abc.com using kinit I get the kerberos ticket for this account. kinit test.abc.com@ABC.COM

 

Is anyonve aware how we can test if the APM is actually send the kerberos request out, to what KDC(we have 5 KDC configured].

 

APM
application delivery

8 Replies

Sort By
  • pushkar_misra_2's avatar
    pushkar_misra_2
    Icon for Altocumulus rankAltocumulus
    Dec 15, 2018

    Sorry I missed to update the solution. I did a capture on port 88 to review the Kerbers packets which gave me the exact KDC and the error as Principal name unknown. It turned out that the service account needed to be in WAA and PreWin2k group to avoid the error.

     

    • ivanbermejocham's avatar
      ivanbermejocham
      Icon for Nimbostratus rankNimbostratus
      Aug 23, 2019

      You saved my life.... I was getting the same error and the solution was the same. There should be some info about this in APM Cookbook.

  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    Mar 23, 2017

    Can you post the part of the APM logging where the kerberos error occurs here?(with SSO on debug).

     

    Cheers,

     

    Kees

     

  • kunjan_118660's avatar
    kunjan_118660
    Icon for Cumulonimbus rankCumulonimbus
    Mar 23, 2017

    I think its the problem with the delegation account. if kinit test.abc.com@ABC.COM works you should use the same user id test.abc.com@ABC.COM for SSO config. Not with 'HOST/', unless you create the account as 'HOST/'

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Mar 23, 2017

    I think its the problem with the delegation account. if kinit test.abc.com@ABC.COM works you should use the same user id test.abc.com@ABC.COM for SSO config. Not with 'HOST/', unless you create the account as 'HOST/'

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Mar 24, 2017

    Hi,

    To create a Kerberos SSO, I use the following commands:

    Powershell commands on AD

    New-ADUser -Name "APM Delegation Account" -UserPrincipalName svc_f5_krb@demo.local -SamAccountName "svc_f5_krb" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)
 Add SPN attribute to account (same as setspn command)
Set-AdUser -Identity svc_f5_krb -ServicePrincipalNames @{Add="host/svc_f5_krb.demo.local"} 
Assign the delegation right to the site app1.demo.local
Get-AdUser -Identity svc_f5_krb | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="http/app1.demo.local"}
 Change delegation right to mode : Trust this user for delegation to specific service only / Use any authentication Protocol
Set-ADAccountControl -Identity svc_f5_krb -TrustedForDelegation $false
Set-ADAccountControl -Identity svc_f5_krb -TrustedToAuthForDelegation $true

    BigIP tmsh commands

     SPN discovered by reverse DNS lookup of pool member IP
create apm sso kerberos SSO_KRB_machine { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.1.250 realm DEMO.LOCAL user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }

    Or 

     SPN is request Host header value
create apm sso kerberos SSO_KRB_AppPool { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.1.250 realm DEMO.LOCAL spn-pattern HTTP/%h user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }

    If kerberos is configured in multi domain forest, username format must be host/svc_f5_krb.demo.local