BigIP APM KCD Multiple Forests

Question

HI. 
I have a setup like this:&nbsp;
Forest A: domain = domainA.comWeb server =  serverA.domainA.comWeb App = webapp1.coolapp.com (this is added to the UPN suffix routing on domainA (forestA).
Web app configured with kerberos auth and works fine&nbsp;

Forest B:&nbsp;
Users = userBtwo-way forest trust is in place
UserB is able to connect with kerberos auth from computer in forest B to web app in forest a&nbsp;
so kerb auth is ok&nbsp;
Now to APMBigIP with APM policyPolicy does this: userB open link =&gt; gets a login page &gt; enters a username 'userb' (no domain) and  password.he is authenticated using a aaa server in forestB =&gt; goes through an SSO credential mapping to access webappa.coolapp.com and there you have a nice blank page.The policy is using a kerb sso config with service account in DomainB (forestB)result =&gt; kerb sso config is trying to get a ticket for userb_at_domainB.com and server http/webappa.coolapp.com_at_domainB.com
remember the web app is in domainA.
I tried a kerb sso config in Domain A.&nbsp;
any hints on how to make the ticket request use userb_at_domainb.com and server http/webappa.coolapp.com_at_domainA.com&nbsp;
the error is: realm not local to kdc&nbsp;

joethefifth · Answer

APM log when using Kerb SSO Conf of domainA (kerb service account in domain A):&nbsp;
8472f4ff: Websso Kerberos authentication for user 'userb' using config '/Common/F5-ADFSProxy-KerbSSO'
8472f4ff: adding item to WorkQueue
sid:8472f4ff ctx:0x8676928 server address = ::ffff:10.0.10.3
sid:8472f4ff ctx:0x8676928 SPN = HTTP/webapp1.coolapp.com@DOMAINA.COM
S4U ======&gt; ctx: 8472f4ff, sid: 0x8676928, user: userb@DOMAINB.COM, SPN: HTTP/webappb1.coolapp.com@DOMAINA.COM
Getting UCC:userb@DOMAINB.COM@DOMAINA.COM, lifetime:36000
Found UCC:userb@DOMAINB.COM@DOMAINA.COM, lifetime:36000 left:35563
UCCmap.size = 4
S4U ======&gt; - NO cached S4U2Proxy ticket for user: userb@DOMAINB.COM server: HTTP/webappb1.coolapp.com@DOMAINA.COM - trying to fetch
S4U ======&gt; - NO cached S4U2Self ticket for user: userb@DOMAINB.COM - trying to fetch
Kerberos: can't get S4U2Self ticket for user userb@DOMAINB.COM - Realm not local to KDC (-1765328316)
8472f4ff: Kerberos: Failed to get ticket for user userb@DOMAINB.COM&nbsp;
user domain is ok 
web server domain is ok
result KO&nbsp;
Now: using a kerb sso conf with a service account in domainb &nbsp;
info websso.1[14088]: 014d0011:6: 9c741e95: Websso Kerberos authentication for user 'userb' using config '/Common/DOMAINB-KCD'
debug websso.1[14088]: 014d0046:7: 9c741e95: adding item to WorkQueue
debug websso.1[14088]: 014d0018:7: sid:9c741e95 ctx:0x8676928 server address = ::ffff:10.0.10.3
debug websso.1[14088]: 014d0021:7: sid:9c741e95 ctx:0x8676928 SPN = HTTP/webapp1.coolapp.com@DOMAINB.COM
debug websso.1[14088]: 014d0023:7: S4U ======&gt; ctx: 9c741e95, sid: 0x8676928, user: userb@DOMAINB.COM, SPN: HTTP/webapp1.coolapp.com@DOMAINB.COM
debug websso.1[14088]: 014d0001:7: Getting UCC:userb@DOMAINB.COM@DOMAINB.COM, lifetime:36000
debug websso.1[14088]: 014d0001:7: Found UCC:userb@DOMAINB.COM@DOMAINB.COM, lifetime:36000 left:35280
debug websso.1[14088]: 014d0001:7: UCCmap.size = 4
debug websso.1[14088]: 014d0001:7: S4U ======&gt; - NO cached S4U2Proxy ticket for user: userb@DOMAINB.COM server: HTTP/webapp1.coolapp.com@DOMAINB.COM - trying
debug websso.1[14088]: 014d0001:7: S4U ======&gt; trying to fetch S4U2Proxy ticket for user: userb@DOMAINB.COM server: HTTP/webapp1.coolapp.com@DOMAINB.COM
err websso.1[14088]: 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/webapp1.coolapp.com@DOMAINB.COM - Requesting ticket can't get forwardable ticke
err websso.1[14088]: 014d0024:3: 9c741e95: Kerberos: Failed to get ticket for user userb@DOMAINB.COM&nbsp;
user domain is ok
server domain is KO
Result KO&nbsp;

joethefifth · Answer

Ok got it working. I have read different docs and posts to get to the right info but had to use network monitor to see that the last error I was getting (Server not found in Kerberos database) was due the format of the service account used in the SSO conf being samaccountname instead of the SPN format. the KDC in domainb was not able to locate the SPN of the service account since no realm name was being sent in the request.&nbsp;
LTM version 11.5.4
In order for the bigip to get a kerberso ticket for a user in domainB (forestB) to a ressource in domainA (forestA) you need:&nbsp;
enter the SPN format of the delegation service account name in the Kerberso SSO configurationLeave the KDC entry empty when you are in my case = cross forest/domain setupWebapplication or ressource must be in the same domain (domainA here) as the delegation service account.
Of course when using a hostname for your site like webapp1.coolapp.com which is not a subdomain of your Active directory domain you have to add a UPN mapping to the domainA to specify that the KDC responsable for this hostname (remember your web app service account uses HTTP/webapp1.coolapp.com as its SPN). so any queries for this SPN will be fulfilled by the domainA KDC. &nbsp;
UPN Routing: 
https://blogs.msdn.microsoft.com/spatdsg/2008/08/21/kerberos-domain-routing/
https://blogs.technet.microsoft.com/askds/2009/04/10/name-suffix-routing/&nbsp;
just for reference the other error I was getting was: Realm not local to KDC 
I as getting this error when I was specifying a KDC (domainA domain controller) in the KDC text box in the SSO config. In cross domain you should leave this empty.&nbsp;
IMPORTANT NOTE:
When you change the service account format do reenter the password and most of all do run this command to purge all the web sso kerberos cache:&nbsp;
bigstart restart websso&nbsp;
https://f5guru.com/2016/08/23/kerberos-is-easy-part-2/&nbsp;

joethefifth · Answer

Another important config element: Name resolution.
I tested these configuration:
1. Adding Trusted domain Realms in the bigip kerb5.conf (in the /etc/ folder) =&gt; Works fine. Make it possible fo the bigip to find the KDCs of the trusted domains because, remember, you should not put them in the SSO config in a trusted domain setup.&nbsp;

Adding the KDCs (domains controllers) to the hosts file of the BigIP =&gt; does not work in my case.&nbsp;

Adding DNS servers of the trusted domains to the bigip DNS conf =&gt; Works fine&nbsp;

Now to the web application hostname:
I added the hotsname webapp1.coolapp.com to the bigip hosts file when I started working on this setup and forgot it there. My SSO started working when I did all the pieces and I thought that the BigIp was getting the tickets for users and sending them to the pool members (servers) since the web servers and delegation service account are in the same domain. But I never thought of how the bigip finds the web server behind the SPN/hostname webapp1.coolapp.com. I removed the web app hostname from the bigip hosts file and the SSO stopped working. so It looks like the higip has to resolve the hostname to a webserver to do the kerberos delegation. I thought it automatically does this since I'm asking for hostname webapp1.coolapp.com on a VS which has servers behind so why does the system need to know where the hostname is hosted !!! in a production environement this does not make sense because the hostname will registred in DNS as hostname = VS ip !!!
I'm still testing so wil come back with more info on this later.&nbsp;

joethefifth · Answer

The answer to the last question is: in the case of a web application running under a service account you should fill in the 'SPN Pattern' box of the SSO configuration as follows: HTTP/%h.
APM Kerberos Constrained Delegation is working fine. &nbsp;

Forum Discussion

BigIP APM KCD Multiple Forests

4 Replies

Recent Discussions

Need advise to setup a policy on F5

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Related Content

Re: BigIP Report

BigIP Report Old

F5 Distributed Cloud – Multiple custom certificates for HTTP/TCP LB

BigIP VE - Multiple VLANs on single partition with single interface

F5 BIGIP WAF AND F5 DNS