Altostratus

Sep 20, 2019

APM Policy scope/SSO Configuration

Back on track here after the devcentral migration. Like others I'm having a hard time finding content with all the 404 search errors.

Well, I have an APM policy I imported on two virtual servers.

I'm using the same cookie domain *.cookiedomain.com so I configured the APM profiles to use multiple authentication domains and set the domains to the different host names of my web sites.

I created two separate Kerberos configurations.

Let's say I have:

VS 10.0.0.1

APM Policy: Site1APMPolicy

site1: https://site1.cookiedomain.com

Kerb SSO: Site1KerbSSO

VS 10.0.0.2

APM Policy: Site2APMPolicy

site2 https://site2.cookiedomain.com

Kerb SSO: Site2KerbSSO

using the same user:

If I access site1.cookiedomain.com FIRST the SSO works Fine

If I access site2.cookiedomain.com SECOND the SSO to site2 does not work. Error message is

If I restart the rba and websso daemons and clear my browser cookies then retry like this:

site2.cookiedomain.com FIRST the SSO works Fine

If I access site1.cookiedomain.com SECOND the SSO to site1 does not work. Error message is

S4U ======> - NO cached S4U2Proxy ticket for user: user@DOMAIN.COM server: HTTP/site2.cookiedomain.com@COMMUN01.SVC - trying to fetch

S4U ======> - NO cached S4U2Self ticket for user: user@DOMAIN.COM - trying to fetch

Kerberos: can't get S4U2Self ticket for user user@DOMAIN.COM - Matching credential not found (-1765328243)

Kerberos: Failed to get ticket for user user@DOMAIN.COM

failure occurred when processing the work item

If I use the same kerberos SSO configuration for both APM policies both sites2 work fine.

The reason I'm using this setup is I have two web server farms using the same AD domain and the same cookie domain.

If I use two SSO configs with separate service accounts for APM access with the same user does not work for the second site on the second farm.

I've tried playing with the profile scope by setting the three different options but still get the same result.

The only working scenario is using the same kerberso sso configuration for both APM policy profiles.

The goal of this setup is to be able to isolate both VS and APM policy configuration.

APM Policy profiles are using different resources (different AAA Pool names and TrustedDomain configuration) even if I'm using the same AD servers behind.

Anyone to shed any lights on this?

Dave_W
Sep 20, 2019
Hello, what version are you on? Previous to 13.1 you could not use 2 Kerberos Delegation Accounts for the same Realm.

https://cdn.f5.com/product/bugtracker/ID445501.html

"It is now possible to use multiple kerberos S4U constrained delegation accounts for the same realm by configuring separate kerberos SSO objects and switching between them using iRules, Portal Access ACLs, multidomain mode SSO, or a Per-Request Access Policy switch."

Dave_W
Employee
Sep 20, 2019
Hello, what version are you on? Previous to 13.1 you could not use 2 Kerberos Delegation Accounts for the same Realm.

https://cdn.f5.com/product/bugtracker/ID445501.html

"It is now possible to use multiple kerberos S4U constrained delegation accounts for the same realm by configuring separate kerberos SSO objects and switching between them using iRules, Portal Access ACLs, multidomain mode SSO, or a Per-Request Access Policy switch."
JoeTheFifth
Altostratus
Sep 20, 2019
I understand APM finds a cached ticket for user@cookiedomain.com for site1.cookiedomain.com fetched by the first service account but when it tries to get a S4U2Self for the same user using the second service account it fails:

Websso Kerberos authentication for user 'user' using config '/CustomPart/Site2APMPolicy'
adding item to WorkQueue
ctx:0xa23d450 SPN = HTTP/site2.cookiedomain.com@DOMAIN.COM
S4U ======> user: user@DOMAIN.COM, SPN: HTTP/site2.cookiedomain.com@DOMAIN.COM
Getting UCC:user@DOMAIN.COM@DOMAINC.OM, lifetime:36000
Found UCC:user@DOMAIN.COM@DOMAINC.OM, lifetime:36000 left:35528
UCCmap.size = 1
S4U ======> - NO cached S4U2Proxy ticket for user: user@DOMAIN.COM server: HTTP/site2.cookiedomain.com@COMMUN01.SVC - trying to fetch
S4U ======> - NO cached S4U2Self ticket for user: user@DOMAIN.COM - trying to fetch
Kerberos: can't get S4U2Self ticket for user user@DOMAIN.COM - Matching credential not found (-1765328243)
Kerberos: Failed to get ticket for user user@DOMAIN.COM
failure occurred when processing the work item
JoeTheFifth
Altostratus
Sep 21, 2019
Well that explains it all. Thanks a bunch. I'm on 12.1 (BIGIP 12.1.3.0.0.378).

Forum Discussion

APM Policy scope/SSO Configuration

Recent Discussions

F5 Health Monitor Receive String as JSON

Background Tasks

Which process is consuming higher CPU

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Related Content

Configuring BIG-IP AFM firewall policies and rules with Ansible

WAF Policy Editor - a Web-Based Tool to Configure a Declarative WAF Policy

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Auditing Security Policy Updates

Minimizing Security Complexity: Managing Distributed WAF Policies

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS