Back on track here after the devcentral migration. Like others I'm having a hard time finding content with all the 404 search errors.Well, I have an APM policy I imported on two virtual servers.I'm using the same cookie domain *.cookiedomain.com so I configured the APM profiles to use multiple authentication domains and set the domains to the different host names of my web sites.I created two separate Kerberos configurations.Let's say I have: VS 10.0.0.1APM Policy: Site1APMPolicysite1: https://site1.cookiedomain.com Kerb SSO: Site1KerbSSO VS 10.0.0.2APM Policy: Site2APMPolicysite2 https://site2.cookiedomain.com Kerb SSO: Site2KerbSSO using the same user:If I access site1.cookiedomain.com FIRST the SSO works FineIf I access site2.cookiedomain.com SECOND the SSO to site2 does not work. Error message is If I restart the rba and websso daemons and clear my browser cookies then retry like this:site2.cookiedomain.com FIRST the SSO works FineIf I access site1.cookiedomain.com SECOND the SSO to site1 does not work. Error message is S4U ======> - NO cached S4U2Proxy ticket for user: user@DOMAIN.COM server: HTTP/site2.cookiedomain.com@COMMUN01.SVC - trying to fetchS4U ======> - NO cached S4U2Self ticket for user: user@DOMAIN.COM - trying to fetchKerberos: can't get S4U2Self ticket for user user@DOMAIN.COM - Matching credential not found (-1765328243)Kerberos: Failed to get ticket for user user@DOMAIN.COMfailure occurred when processing the work item If I use the same kerberos SSO configuration for both APM policies both sites2 work fine. The reason I'm using this setup is I have two web server farms using the same AD domain and the same cookie domain. If I use two SSO configs with separate service accounts for APM access with the same user does not work for the second site on the second farm. I've tried playing with the profile scope by setting the three different options but still get the same result.The only working scenario is using the same kerberso sso configuration for both APM policy profiles. The goal of this setup is to be able to isolate both VS and APM policy configuration. APM Policy profiles are using different resources (different AAA Pool names and TrustedDomain configuration) even if I'm using the same AD servers behind. Anyone to shed any lights on this?

Hello, what version are you on? Previous to 13.1 you could not use 2 Kerberos Delegation Accounts for the same Realm. https://cdn.f5.com/product/bugtracker/ID445501.html "It is now possible to use multiple kerberos S4U constrained delegation accounts for the same realm by configuring separate kerberos SSO objects and switching between them using iRules, Portal Access ACLs, multidomain mode SSO, or a Per-Request Access Policy switch."

Forum Discussion

JoeTheFifth

Altostratus

Sep 20, 2019

Solved

APM Policy scope/SSO Configuration

Back on track here after the devcentral migration. Like others I'm having a hard time finding content with all the 404 search errors.

Well, I have an APM policy I imported on two virtual servers.

I'm using the same cookie domain *.cookiedomain.com so I configured the APM profiles to use multiple authentication domains and set the domains to the different host names of my web sites.

I created two separate Kerberos configurations.

Let's say I have:

VS 10.0.0.1

APM Policy: Site1APMPolicy

site1: https://site1.cookiedomain.com

Kerb SSO: Site1KerbSSO

VS 10.0.0.2

APM Policy: Site2APMPolicy

site2 https://site2.cookiedomain.com

Kerb SSO: Site2KerbSSO

using the same user:

If I access site1.cookiedomain.com FIRST the SSO works Fine

If I access site2.cookiedomain.com SECOND the SSO to site2 does not work. Error message is

If I restart the rba and websso daemons and clear my browser cookies then retry like this:

site2.cookiedomain.com FIRST the SSO works Fine

If I access site1.cookiedomain.com SECOND the SSO to site1 does not work. Error message is

S4U ======> - NO cached S4U2Proxy ticket for user: [email protected] server: HTTP/[email protected] - trying to fetch

S4U ======> - NO cached S4U2Self ticket for user: [email protected] - trying to fetch

Kerberos: can't get S4U2Self ticket for user [email protected] - Matching credential not found (-1765328243)

Kerberos: Failed to get ticket for user [email protected]

failure occurred when processing the work item

If I use the same kerberos SSO configuration for both APM policies both sites2 work fine.

The reason I'm using this setup is I have two web server farms using the same AD domain and the same cookie domain.

If I use two SSO configs with separate service accounts for APM access with the same user does not work for the second site on the second farm.

I've tried playing with the profile scope by setting the three different options but still get the same result.

The only working scenario is using the same kerberso sso configuration for both APM policy profiles.

The goal of this setup is to be able to isolate both VS and APM policy configuration.

APM Policy profiles are using different resources (different AAA Pool names and TrustedDomain configuration) even if I'm using the same AD servers behind.

Anyone to shed any lights on this?

Dave_W
Sep 20, 2019
Hello, what version are you on? Previous to 13.1 you could not use 2 Kerberos Delegation Accounts for the same Realm.

https://cdn.f5.com/product/bugtracker/ID445501.html

"It is now possible to use multiple kerberos S4U constrained delegation accounts for the same realm by configuring separate kerberos SSO objects and switching between them using iRules, Portal Access ACLs, multidomain mode SSO, or a Per-Request Access Policy switch."

3 Replies

JoeTheFifth
Altostratus
Sep 20, 2019
I understand APM finds a cached ticket for [email protected] for site1.cookiedomain.com fetched by the first service account but when it tries to get a S4U2Self for the same user using the second service account it fails:

Websso Kerberos authentication for user 'user' using config '/CustomPart/Site2APMPolicy'
adding item to WorkQueue
ctx:0xa23d450 SPN = HTTP/[email protected]
S4U ======> user: [email protected], SPN: HTTP/[email protected]
Getting UCC:[email protected]@DOMAINC.OM, lifetime:36000
Found UCC:[email protected]@DOMAINC.OM, lifetime:36000 left:35528
UCCmap.size = 1
S4U ======> - NO cached S4U2Proxy ticket for user: [email protected] server: HTTP/[email protected] - trying to fetch
S4U ======> - NO cached S4U2Self ticket for user: [email protected] - trying to fetch
Kerberos: can't get S4U2Self ticket for user [email protected] - Matching credential not found (-1765328243)
Kerberos: Failed to get ticket for user [email protected]
failure occurred when processing the work item
Dave_W
Employee
Sep 20, 2019
Hello, what version are you on? Previous to 13.1 you could not use 2 Kerberos Delegation Accounts for the same Realm.

https://cdn.f5.com/product/bugtracker/ID445501.html

"It is now possible to use multiple kerberos S4U constrained delegation accounts for the same realm by configuring separate kerberos SSO objects and switching between them using iRules, Portal Access ACLs, multidomain mode SSO, or a Per-Request Access Policy switch."
JoeTheFifth
Altostratus
Sep 21, 2019
Well that explains it all. Thanks a bunch. I'm on 12.1 (BIGIP 12.1.3.0.0.378).