Kerberos SSO Clients Not Getting Ticket

Question

I'm setting up a new Kerberos SSO site. I've copied the config from a working SSO site we already have setup. In the VPE we have the 401 with negotiate and then the Kerberos authentication. Everything looks in order, but we are failing Kerberos authentication. In the logs I get a message stating:&nbsp;
"GSS-API error gss_accept_sec_context: 70000 : No credentials were supplied, or the credentials were unavailable or inaccessible "&nbsp;
Also I've taken packet captures comparing the good and the new SSO. When connecting to the good SSO I see the client reach out and get a ticket, however with the new SSO I do not see any kerberos traffic captured. What could I be missing that is not triggering the client to go get a Kerberos ticket?&nbsp;

robert_juric_35 · Accepted Answer

The other answer showed me the problem. In our testing, we were going directly to the virtual server IP instead of the FQDN. Since the IP didn't match what was in the UPN it was failing kerberos. As soon as we entered the FQDN as the URL everything worked fine.

youssef1 · Answer

Hello,&nbsp;
I just want to clarify your question.&nbsp;
You have an working VPE that process kerberos auth, that's right? This policy/service is an IDP (SAML Auth)? or Web access management (Perimeter security) with sso kerberos?&nbsp;
Regards&nbsp;

robert_juric_35 · Answer

Yes, I have one working VPE processing kerberos auth, and a new one which is not triggering the client to get a ticket. Both are setup as for IDPs.&nbsp;

youssef1 · Answer

Hello Robert,&nbsp;
I understand your issue, to sum up, you have on service as IDP that authenticate user (kerberos). you have copied the VPE and attached this new vpe to a new services.&nbsp;
it's quite normal that it does not work, because of kerberos. let me explain.&nbsp;
Actual service idp1.mydomain.com&nbsp;
Copied service idp2.mydomain.com&nbsp;
In the VPE of service idp2 you have to create a new Keytab with the following spn HTTP/idp2.mydomain.com.&nbsp;
You have to now that kerberos use dns record in its auth process.
when you try to reach/auth in idp2, you system will follow this steps:&nbsp;
a record of idp2.mydomain.com --&gt; ex: 1.1.1.2ptr of 1.1.1.2 --&gt; idp2.mydomain.comcheck if spn HTTP/idp2.mydomain.com
The problem is that spn idp2 don't exist and the keytab attached to idp2 vpe is not valid because it's spn used by idp1...&nbsp;
Let me now if it's clear for you and if you need additional help.&nbsp;
Regards&nbsp;

Forum Discussion

Kerberos SSO Clients Not Getting Ticket

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

Getting Started

Getting Started with BIG-IP Next: Fundamentals

Getting Started with BIG-IP Next: Upgrading Instances

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

Getting Started with BIG-IP Next: Configuring Instance High Availability