Forum Discussion
APM Policy scope/SSO Configuration
Back on track here after the devcentral migration. Like others I'm having a hard time finding content with all the 404 search errors.
Well, I have an APM policy I imported on two virtual servers.
I'm using the same cookie domain *.cookiedomain.com so I configured the APM profiles to use multiple authentication domains and set the domains to the different host names of my web sites.
I created two separate Kerberos configurations.
Let's say I have:
VS 10.0.0.1
APM Policy: Site1APMPolicy
site1: https://site1.cookiedomain.com
Kerb SSO: Site1KerbSSO
VS 10.0.0.2
APM Policy: Site2APMPolicy
site2 https://site2.cookiedomain.com
Kerb SSO: Site2KerbSSO
using the same user:
If I access site1.cookiedomain.com FIRST the SSO works Fine
If I access site2.cookiedomain.com SECOND the SSO to site2 does not work. Error message is
If I restart the rba and websso daemons and clear my browser cookies then retry like this:
site2.cookiedomain.com FIRST the SSO works Fine
If I access site1.cookiedomain.com SECOND the SSO to site1 does not work. Error message is
S4U ======> - NO cached S4U2Proxy ticket for user: user@DOMAIN.COM server: HTTP/site2.cookiedomain.com@COMMUN01.SVC - trying to fetch
S4U ======> - NO cached S4U2Self ticket for user: user@DOMAIN.COM - trying to fetch
Kerberos: can't get S4U2Self ticket for user user@DOMAIN.COM - Matching credential not found (-1765328243)
Kerberos: Failed to get ticket for user user@DOMAIN.COM
failure occurred when processing the work item
If I use the same kerberos SSO configuration for both APM policies both sites2 work fine.
The reason I'm using this setup is I have two web server farms using the same AD domain and the same cookie domain.
If I use two SSO configs with separate service accounts for APM access with the same user does not work for the second site on the second farm.
I've tried playing with the profile scope by setting the three different options but still get the same result.
The only working scenario is using the same kerberso sso configuration for both APM policy profiles.
The goal of this setup is to be able to isolate both VS and APM policy configuration.
APM Policy profiles are using different resources (different AAA Pool names and TrustedDomain configuration) even if I'm using the same AD servers behind.
Anyone to shed any lights on this?
Hello, what version are you on? Previous to 13.1 you could not use 2 Kerberos Delegation Accounts for the same Realm.
https://cdn.f5.com/product/bugtracker/ID445501.html
"It is now possible to use multiple kerberos S4U constrained delegation accounts for the same realm by configuring separate kerberos SSO objects and switching between them using iRules, Portal Access ACLs, multidomain mode SSO, or a Per-Request Access Policy switch."
- Dave_WEmployee
Hello, what version are you on? Previous to 13.1 you could not use 2 Kerberos Delegation Accounts for the same Realm.
https://cdn.f5.com/product/bugtracker/ID445501.html
"It is now possible to use multiple kerberos S4U constrained delegation accounts for the same realm by configuring separate kerberos SSO objects and switching between them using iRules, Portal Access ACLs, multidomain mode SSO, or a Per-Request Access Policy switch."
- JoeTheFifthAltostratus
I understand APM finds a cached ticket for user@cookiedomain.com for site1.cookiedomain.com fetched by the first service account but when it tries to get a S4U2Self for the same user using the second service account it fails:
Websso Kerberos authentication for user 'user' using config '/CustomPart/Site2APMPolicy'
adding item to WorkQueue
ctx:0xa23d450 SPN = HTTP/site2.cookiedomain.com@DOMAIN.COM
S4U ======> user: user@DOMAIN.COM, SPN: HTTP/site2.cookiedomain.com@DOMAIN.COM
Getting UCC:user@DOMAIN.COM@DOMAINC.OM, lifetime:36000
Found UCC:user@DOMAIN.COM@DOMAINC.OM, lifetime:36000 left:35528
UCCmap.size = 1
S4U ======> - NO cached S4U2Proxy ticket for user: user@DOMAIN.COM server: HTTP/site2.cookiedomain.com@COMMUN01.SVC - trying to fetch
S4U ======> - NO cached S4U2Self ticket for user: user@DOMAIN.COM - trying to fetch
Kerberos: can't get S4U2Self ticket for user user@DOMAIN.COM - Matching credential not found (-1765328243)
Kerberos: Failed to get ticket for user user@DOMAIN.COM
failure occurred when processing the work item
- JoeTheFifthAltostratus
Well that explains it all. Thanks a bunch. I'm on 12.1 (BIGIP 12.1.3.0.0.378).
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com