Forum Discussion

eric_haupt1's avatar
eric_haupt1
Icon for Nimbostratus rankNimbostratus
Apr 17, 2019

Halted SSO retry for request - meaning

I have an APM protected SP2013 farm that was working via KCD SSO until very recently. No changes were done on the F5 side, but I suspect a GPO push was rolled out. I can see the F5 getting a TGT and TGS - everything looks good and S4U => OK.

 

I still see the back end web front ends sending the authorization negotiate header however.

 

In my debug logs after the S4U = OK, I see server TMEVT_RESPONSE followed by an "Halted SSO retry for request line" which is then followed by client TMEVT_RESPONSE.

 

I am unable to post the actual logs here, but I was curious to the meaning of the "Halted SSO retry for response" line - as I do not see this line occurring in other configs for other farms that are working properly from an SSO perspective. I'm assuming APM receives something in the server TMEVT_RESPONSE that causes the SSO halt. I'm trying to narrow down what to look for.

 

My APM and KCD SSO config is rock solid. Good SPN, delegation, defined host/svc name, etc.

 

APM
application delivery

3 Replies

Sort By
  • eric_haupt1's avatar
    eric_haupt1
    Icon for Nimbostratus rankNimbostratus
    Apr 18, 2019

    I've been told MS made some changes regarding RC4 deprecation... but I see no auth issues at all. My service account is supporting other farms just fine, which tells me from a realm perspective it is fully functional. It was just one group of apps that was affected... of course it's going to be difficult finding out what they changed to try and get STIG compliant.

     

    • MeMyselfandThem's avatar
      MeMyselfandThem
      Icon for Nimbostratus rankNimbostratus
      Nov 12, 2019

      Eric, did you ever find an answer to this? I'm seeing the same thing for us moving to SharePoint 2016 on server 2016. My other vips seem to work fine. I even have the same configuration on a test farm that is working so I'm a bit perplexed.