Forum Discussion

Nelgin_Nepolean's avatar
Nelgin_Nepolean
Icon for Nimbostratus rankNimbostratus
Nov 01, 2016

Kerberos: can't get S4U2Self ticket for user Exch2016@MYDOMAIN.COM - Server not found in Kerberos database (-1765328377)

We are publishin Exchange 2016 in F5 APM. We are facing an issue for Outlook Anywhere as NTLM authentication is used. I have used latest available iApp for the exchange 2016 deployment and followed deployment guide. Configured Machine Account as well as NTLM Auth configuration. Created delegation account in AD. User is not getting authenticated while accessing Outlook client from outside the office. following error logs I can see from APM

 

Nov 1 13:00:58 F5APM info websso.3[8870]: 014d0011:6: 6cbcede9: Websso Kerberos authentication for user 'Exch2016' using config '/Common/exch_2016.app/exch_ntlm_kerberos_edge_sso' Nov 1 13:00:58 F5APM debug websso.3[8870]: 014d0046:7: 6cbcede9: adding item to WorkQueue Nov 1 13:00:58 F5APM debug websso.3[8870]: 014d0021:7: sid:6cbcede9 ctx:0x87b57e0 SPN = HTTP/mymail.mydomain.com@ABC.NET Nov 1 13:00:58 F5APM debug websso.3[8870]: 014d0023:7: S4U ======> ctx: 6cbcede9, sid: 0x87b57e0, user: Exch2016@MYDOMAIN.COM, SPN: HTTP/mymail.mydomain.com@ABC.NET Nov 1 13:00:58 F5APM debug websso.3[8870]: 014d0001:7: Getting UCC:Exch2016@MYDOMAIN.COM@ABC.NET, lifetime:36000 Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: fetched new TGT, total active TGTs:1Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: TGT: client=svc_apm@ABC.NET server=krbtgt/ABC.NET@ABC.NET expiration=Tue Nov 1 23:00:58 2016 flags=40610000Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: TGT expires:1478030458 CC count:0Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: Initialized UCC:Exch2016@MYDOMAIN.COM@ABC.NET, lifetime:36000 kcc:0x9177068 Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: UCCmap.size = 1, UCClist.size = 1 Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: Exch2016@MYDOMAIN.COM server: HTTP/mymail.mydomain.com@ABC.NET - trying to fetch Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for user: Exch2016@MYDOMAIN.COM - trying to fetch Nov 1 13:00:58 F5APM err websso.1[8768]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user Exch2016@MYDOMAIN.COM - Server not found in Kerberos database (-1765328377) Nov 1 13:00:58 F5APM err websso.1[8768]: 014d0024:3: 6cbcede9: Kerberos: Failed to get ticket for user Exch2016@MYDOMAIN.COM Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: ctx: 0x9037f10, SERVER: TMEVT_NOTIFY Nov 1 13:00:58 F5APM err websso.1[8768]: 014d0048:3: 6cbcede9: failure occurred when processing the work item Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: ctx: 0x9037f10, SERVER: TMEVT_RESPONSE Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: 6 headers received Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: http header *[:status][401 Unauthorized] (len=16) Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: http header *[WWW-Authenticate][NTLM] (len=4) Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: http header [Server][Microsoft-IIS/8.5] (len=17) Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: http header [Date][Tue, 01 Nov 2016 10:02:13 GMT] (len=29) Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: http header [request-id][e006ab17-b82a-48aa-91a2-dadcd6e5d604] (len=36) Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: http header [Content-Length][0] (len=1)

 

Nov 1 13:00:58 F5APM debug websso.1[8768]: 014d0001:7: Halted SSO retry for request

It would be appreciated if anyone have an idea about issue.

 

Nelgin

 

APM
application delivery
iApps
kerberos
ntlm

4 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 01, 2016

    Is Exch2016@MYDOMAIN.COM the correct service principal name for the delegation account? Is MYDOMAIN.COM the actual domain name?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 01, 2016

    Right, so a few more questions:

     

    1. Does the user's account name include the 'real' domain name? For example, if the domain is MYDOMAIN.COM, is the user account user@DOMAIN.COM, or is it something else? Something is a different domain or an alias?

       

    2. Is the delegation account a member of the same domain as the exchange servers?

       

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 02, 2016

    Example: ABC/exch2016 or exchange2016@mydomain.com

     

    I'm probably splitting hairs here, but you seem to be using "mydomain.com" and "ABC" interchangeably. My point is, if the domain name is "ABC.NET", is the user principal name for that account @abc.net, or is it @mydomain.net (as in not the same as the domain name)?

     

    I ask because using a UPN realm alias requires an extension to the Kerberos protocol that APM Kerberos SSO currently does not have. If the UPN realm and domain name are different, you have to inject the user's sAMAccountName as the SSO username source and the real domain name (ABC.NET) as the SSO domain realm source.

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Nov 02, 2016

    Hi,

     

    I think your wrong with SPN configuration.

     

    In AD, only Service can have delegation role, not User. adding SPN (ServicePrincipalName) to a user give it the delegation role capability.

     

    the delegation account must be:

     

    • sAMAccountName : svc_apm.abc.net
    • UserprincipalName : host/svc_apm.abc.net@abc.net
    • ServicePrincipalName = host/svc_apm.abc.net

    the setspn command configure SPN from command line. In a comment, you told of setspn with SPN host/mail.company.com... this is not the good configuration.

     

    Then for your exchange account, you must configure the following configuration

     

    • sAMAccountName : svc_exchange
    • UserprincipalName : svc_exchange@abc.net
    • ServicePrincipalName = host/mail.mydomain.com

    Then in delegation account, add delegation to service svc_exchange. it will display all SPN including http/mail.mydomain.com

     

    to display user SPN list, you can add attribute editor tab in user properties. to add this tab, enabled View/Advanced Features in Active Directory Users and Computers

     

    then, you can view and edit servicePrincipalName attribute for every users.

     

    When deploying new customers, I don't use setspn anymore because it's easier to understand what I do with attribute editor. setspn does not add the right to access this server but only give a service name to a user.