Forum Discussion

jban_198207's avatar
Oct 26, 2017
Solved

Kerberos SSO resource and account not in the same domain

Hi,

 

We create F5 Service Account in Domain1 as -Host/ -Users are in: domain1.local Web resource is in domain2.local with SPN let say: HTTP/webresource.domain2.local

 

When I test with kinit and kvno for F5 and User account everything is working fine.

 

But when I specify in APM SPN like: HTTP/webresource.domain2.local OR HTTP/webresource.domain2.local@DOMAIN2.LOCAL I have errors like: -Matching credential not found (-1765328243)

 

On resource in Domain2 we give rights for host/ with Set-ADUser IIS_Service_User … -Pricinals…. By document: https://blog.kloud.com.au/2013/07/11/kerberos-constrained-delegation/

 

Does anyone have setup like this on F5 and can share config?

 

  • Changed -> Dns_lookup_kdc = true Analaysing packet capture answer was found.

     

    USERDOMAIN.INTERNAL was child domain of INTERNAL and INTERNAL KCD was not allowed on firewall. after allowing INTERNAL KCD, stuff started to work.

     

5 Replies

  • I put resource and delegetion account in same Domain. User is in antoher domain and know I am getting: Realm not local to KDC (-1765328316)

     

  • Hi jban,

     

    When using the classic Kerberos Constrained Delegation mode (>=Win2003) you have to create the service account which performs the Kerberos Constrained Delegation in the same AD domain as the service account of the ressource service. But the user could be stored in any trusted domain.

     

    When using the Resource-based Kerberos Constrained Delegation mode (>=Win2012) the service account which performs the Kerberos Constrained Delegation, the service account of the ressource service and the user account can be all stored in different domains.

     

    https://blog.kloud.com.au/2013/07/11/kerberos-constrained-delegation/

     

    Cheers, Kai

     

  • Hi,

     

    can you share the kerberos SSO configuration?

     

    did you edit /etc/krb5.conf file?

     

  • Changed -> Dns_lookup_kdc = true Analaysing packet capture answer was found.

     

    USERDOMAIN.INTERNAL was child domain of INTERNAL and INTERNAL KCD was not allowed on firewall. after allowing INTERNAL KCD, stuff started to work.

     

  • Hi Jban,

     

    What exactly started working? Classic KCD or Resource Based KCD?