For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

eric_haupt1's avatar
eric_haupt1
Icon for Nimbostratus rankNimbostratus
Oct 04, 2018

APM KCD SSO - Requesting ticket can't get forwardable tickets (-1765328163) but works eventually

I'm running into this well known KCD SSO error. I have APM performing the necessary SSO variable definitions using LDAP queries which map certificate IDs (Domain userPrincipalName) to sAMAccountNames...
application delivery
BIG-IP Access Policy Manager (APM)
action_-_322447's avatar
action_-_322447
Icon for Nimbostratus rankNimbostratus
Oct 11, 2018

Just my 2c, might not be relevant to your situation.

 

I experienced something similar when I was trying to set up an office online server and attach it to our SharePoint VIP with smart card auth. Turns out I didn't need to mess with SPNs/configure Kerberos or anything. SharePoint ACLs were handling the access to the files and the IIS site used anonymous authentication.

 

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 12, 2018

By tenant domain, do you a separate trusted domain for user accounts?

 

If so, there are a few things you need to do:

 

  • You must ensure that the domains have a full two-way transitive trust (it wouldn't work at all if this wasn't the case)
  • The APM SSO account and the target service (assuming IIS) must be in the SAME domain.
  • APM must be able to DNS resolve (SRV records) the trusted domain and must have direct connectivity to it.
  • To avoid ambiguity, the APM SSO account should use a full SPN that identifies what domain it's in (ex. host/f5kdc.example.com). This same string is needed in three places: the APM SSO username, the AD delegation account's userPrincipalName and servicePrincipalName.