Forum Discussion

MD_'s avatar
MD_
Icon for Nimbostratus rankNimbostratus
Feb 08, 2017

Kerberos SSO : Server not found in Kerberos database (-1765328377)

Hi,

 

I am trying to configure Kerberos SSO between F5/APM ans IIS. I am getting this error message :

 

Feb 8 18:17:00 bigip12 info websso.3[2776]: 014d0011:6: /Common/Kerb:Common:7828fdf8: Websso Kerberos authentication for user 'testaccount' using config '/Common/SSO-kerberos'

 

Feb 8 18:17:00 bigip12 debug websso.3[2776]: 014d0046:7: /Common/Kerb:Common:7828fdf8: adding item to WorkQueue

 

Feb 8 18:17:00 bigip12 debug websso.3[2776]: 014d0018:7: /Common/Kerb:Common:7828fdf8: ctx:0x8ef0f38 server address = ::ffff:XXX.XXX.XXX.XXX (IP Adresse masqued)

 

Feb 8 18:17:00 bigip12 debug websso.3[2776]: 014d0021:7: /Common/Kerb:Common:7828fdf8: ctx:0x8ef0f38 SPN = HTTP/iis.ad.test.fr@AD.TEST.FR

 

Feb 8 18:17:00 bigip12 debug websso.3[2776]: 014d0023:7: S4U ======> /Common/Kerb:Common:7828fdf8: ctx: 0x8ef0f38, user: testaccount@AD.TEST.FR, SPN: HTTP/iis.ad.test.fr@AD.TEST.FR

 

Feb 8 18:17:00 bigip12 err websso.3[2776]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user testaccount@AD.TEST.FR - Server not found in Kerberos database (-1765328377)

 

Feb 8 18:17:00 bigip12 err websso.3[2776]: 014d0024:3: /Common/Kerb:Common:7828fdf8: Kerberos: Failed to get ticket for user testaccount@AD.TEST.FR

 

Feb 8 18:17:00 bigip12 err websso.3[2776]: 014d0048:3: /Common/Kerb:Common:7828fdf8: failure occurred when processing the work item

 

I tried to follow Kevin Stewart and Cody Green advises but it is still not working (if you read my guys, please do not hesitate to answer :o)).

 

I tried to use this command : kinit -f And it is working.

 

But this one is not: knvo -C -U KNVO is not reconized.

 

Help is welcome,

 

Thanks

 

MD

 

1 Reply

  • Hi MD,

    the KDC error

    -1765328377
    refers to
    KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
    and means that the domain controller was unable to find an matching service account for this Service Principal Name (SPN).

    Please check if the Service Principal Name

    HTTP/iis.ad.test.fr
    is registered in Activce Directory and that this name is either linked to the service account of your IIS web application (in thew case that IIS Kernel mode caching is disabled) or to the computer account hosting the IIS service (if Kernel mode caching is enabled or if the website is running under a system identity like network service, local system, etc.)

    C:\Windows\system32>setspn -Q HTTP/iis.ad.test.fr
    

    The next step would be to check if LTM's service account is already allowed to perform a Kerberos Protocol Transition and Contrained Delegation to this SPN. But lets see if the addition of the SPN already resolves your problem...

    Cheers, Kai