Forum Discussion
502 (bad gateway) error with Kerberos SSO in "Clientless" mode when authenticating with WCF services
Currently, we are encountering a 502 (bad gateway) error with Kerberos SSO in "Clientless" mode when authenticating with WCF services.
To enable the proper functioning of WCF with APM policies, we have enabled the "Clientless" mode to avoid redirecting services to "my.policy", as these are lightweight client-side services.
In the iRule, we are using the following command:
HTTP::header insert "clientless-mode" 1
Kerberos SSO in "Clientless" mode works with one Big IP , but fails with another one in the scenario.
In the Big IP that works, we observe that the WebSSO handshakes function properly both on the client and server sides.
In the Big Ip that produces the 502 error, we have noticed that the WebSSO on the client side is triggered, but the WebSSO on the server side is not.
(We have conducted tests with the parameters "HTTP::header insert "clientless-mode" 1/2/3", but we obtain the same behavior with all three parameters).
I am seeking your assistance in understanding how to resolve this issue and to comprehend the underlying reasons for this difference in behavior. What are the common configuration errors or considerations that can result in the failure of Kerberos SSO in clientless mode with a WCF service? Are there any specific elements to which I should pay attention during the troubleshooting of this scenario to ensure that WebSSO functions properly?
Thank you in advance for your time and assistance. I eagerly await your response.
- Lucas_Thompson
Employee
At runtime Kerberos SSO needs to know a Realm (domain) and a UPN (username), so your clientless-mode session must be able to provide correct values into the APM session variables session.sso.token.username and session.logon.last.domain.
To troubleshoot this, I'd just enable debug logging on SSO and session, then just compare a test from each line-by-line and see where it falls over. Kerberos S4U is somewhat complicated. We have a few articles on troubleshooting it:
https://my.f5.com/manage/s/article/K59350434
https://my.f5.com/manage/s/article/K40119818
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com