Setting up Kerberos Constrained Delegation
Hello,
I have been trying to get kerberos authentication to work from a domain joined computer to a windows IIS server and seem to be stuck. I have tried many things from a bunch of different post on devcentral but don't seem to be getting any closer. I was hoping I could post more of my specifics and see if someone could point out what I am missing. Keep in mind if I go directly to the web server I have confirmed that kerberos authentication is the method being used and is successful until I go through the F5. I am running version 11.6.1.
I believe that the main issue is because of the difference of our host name lab.cityoftest.org and our kerberos realm of DOMAIN.LCL. Since we want to use our wildcard cert for our public domain of *.cityoftest.org but all user names are using a user@DOMAIN.LCL I am not sure how to configure the internal dns A and PTR records to accommodate this scenario.
Here are my settings at this point as they may help better explain what I am trying to do.
Thank you for your time and help in advance!
AD delegate account
userPrincipleName: host/lab.cityoftest.org@DOMAIN.LCL
SPN: host/lab.cityoftest.org
Delegation Tab:
Trust this user for delegation to a specified services only, Use any authentication protocol
http IISServer.domain.lcl
Kerberos AAA Server config
Auth Realm: DOMAIN.LCL
Service Name: host
Keytab file details:
Principle = host/lab.cityoftest.org@DOMAIN.LCL
Encryption: arcfour-hmac
Access Policy Kerberos Auth Pointed at Kerberos AAA Server created above
AD Query has search filter: userPrincipalName=%{session.logon.last.username}
SSO Config
Method: Kerberos
Username Source: session.ad.last.attr.sAMAccountName
User Realm Source: session.logon.last.domain
Kerberos Realm: DOMAIN.LCL
KDC: (IP of one of the domain controllers)
Account Name: host/lab.cityoftest.org
APM Error 2017-04-17 15:27:52 metadata len 391
2017-04-17 15:27:52 \N: Could not find SSO domain, check variable assign agent setting
2017-04-17 15:27:52 Websso Kerberos authentication for user 'John' using config '/Common/WebApplication_2'
2017-04-17 15:27:52 \N: adding item to WorkQueue
2017-04-17 15:27:52 sid: ctx:0x59b1aff0 server address = ::ffff:10.10.10.1
2017-04-17 15:27:52 sid: ctx:0x59b1aff0 SPN = HTTP/IISServer.domain.lcl@DOMAIN.LCL
2017-04-17 15:27:52 Kerberos: realm for user John is not set, using server's realm DOMAIN.LCL
2017-04-17 15:27:52 S4U ======> ctx: , sid: 0x59b1aff0, user: John@DOMAIN.LCL, SPN:
HTTP/IISServer.domain.lcl@DOMAIN.LCL
2017-04-17 15:27:52 Kerberos: Failed to get ticket for user John@DOMAIN.LCL
2017-04-17 15:27:52 \N: failure occurred when processing the work item