Forum Discussion

ADCLearner's avatar
Icon for Nimbostratus rankNimbostratus
Mar 26, 2024

502 (bad gateway) error with Kerberos SSO in "Clientless" mode when authenticating with WCF services

Currently, we are encountering a 502 (bad gateway) error with Kerberos SSO in "Clientless" mode when authenticating with WCF services.

To enable the proper functioning of WCF with APM policies, we have enabled the "Clientless" mode to avoid redirecting services to "my.policy", as these are lightweight client-side services.
In the iRule, we are using the following command:
HTTP::header insert "clientless-mode" 1

Kerberos SSO in "Clientless" mode works with one Big IP , but fails with another one in the scenario.
In the Big IP that works, we observe that the WebSSO handshakes function properly both on the client and server sides. 

In the Big Ip that produces the 502 error, we have noticed that the WebSSO on the client side is triggered, but the WebSSO on the server side is not.
(We have conducted tests with the parameters "HTTP::header insert "clientless-mode" 1/2/3", but we obtain the same behavior with all three parameters).

I am seeking your assistance in understanding how to resolve this issue and to comprehend the underlying reasons for this difference in behavior. What are the common configuration errors or considerations that can result in the failure of Kerberos SSO in clientless mode with a WCF service? Are there any specific elements to which I should pay attention during the troubleshooting of this scenario to ensure that WebSSO functions properly?

Thank you in advance for your time and assistance. I eagerly await your response.

1 Reply

  • At runtime Kerberos SSO needs to know a Realm (domain) and a UPN (username), so your clientless-mode session must be able to provide correct values into the APM session variables session.sso.token.username and session.logon.last.domain

    To troubleshoot this, I'd just enable debug logging on SSO and session, then just compare a test from each line-by-line and see where it falls over. Kerberos S4U is somewhat complicated. We have a few articles on troubleshooting it: