Kerberos double hop working with APM?
We are currently using a full webtop with a link to a web page that gives users access to their home directory. This requires a new authentication (at the moment NTLM). We would like to use SSO via Kerberos.
The communication is as follows: APM logon page -> webtop -> Link to website -> WebApp to file server via cifs and user´s credetials
APM OS is 14.1.2, the Webserver is MS Server 2012R2 with IIS 8 and the file server MS Server 2012R2, too.
I created a kerberos sso object in apm with dedicated user and spn as listed here:
Username Source session.sso.token.last.username
User Realm Source session.logon.last.domain
Kerberos Realm DOMAIN.LOCAL
KDC
UPN (disabled)
Account Name host/apm-kcd.domain.local
SPN Pattern HTTP/fileshare.domain.local@DOMAIN.LOCAL
Send Auth on 401
User account in AD:
ServicePrincipalName host/apm-kcd.domain.local
UserPrincipalName host/apm-kcd.domain.local@DOMAIN.LOCAL
No error in log but it´s not working...
...
92ecf879:S4U ======> - we have cached S4U2Proxy ticket for user: itsme@DOMAIN.LOCAL server: HTTP/fileshare.domain.local@DOMAIN.LOCAL
92ecf879:S4U ======> OK!
92ecf879:GSSAPI: Server: HTTP/fileshare.domain.local@DOMAIN.LOCAL, User: itsme@DOMAIN.LOCAL
92ecf879:GSSAPI Init_sec_context returned code 0
92ecf879:GSSAPI token of length 1889 bytes will be sent back
...
I do not know if the double hop ever works in APM or if it is the target webapp.
Any ideas?
Thanks & best regards,
Kay