Kerberos SSO resource and account not in the same domain
Hi,
We create F5 Service Account in Domain1 as -Host/ -Users are in: domain1.local Web resource is in domain2.local with SPN let say: HTTP/webresource.domain2.local
When I test with kinit and kvno for F5 and User account everything is working fine.
But when I specify in APM SPN like: HTTP/webresource.domain2.local OR HTTP/webresource.domain2.local@DOMAIN2.LOCAL I have errors like: -Matching credential not found (-1765328243)
On resource in Domain2 we give rights for host/ with Set-ADUser IIS_Service_User … -Pricinals…. By document: https://blog.kloud.com.au/2013/07/11/kerberos-constrained-delegation/
Does anyone have setup like this on F5 and can share config?
Changed -> Dns_lookup_kdc = true Analaysing packet capture answer was found.
USERDOMAIN.INTERNAL was child domain of INTERNAL and INTERNAL KCD was not allowed on firewall. after allowing INTERNAL KCD, stuff started to work.