Forum Discussion

JoeTheFifth's avatar
JoeTheFifth
Icon for Altostratus rankAltostratus
Sep 20, 2019

APM Policy scope/SSO Configuration

Back on track here after the devcentral migration. Like others I'm having a hard time finding content with all the 404 search errors.

Well, I have an APM policy I imported on two virtual servers.

I'm using the same cookie domain *.cookiedomain.com so I configured the APM profiles to use multiple authentication domains and set the domains to the different host names of my web sites.

I created two separate Kerberos configurations.

Let's say I have:

 

VS 10.0.0.1

APM Policy: Site1APMPolicy

site1: https://site1.cookiedomain.com

Kerb SSO: Site1KerbSSO

 

VS 10.0.0.2

APM Policy: Site2APMPolicy

site2 https://site2.cookiedomain.com

Kerb SSO: Site2KerbSSO

 

using the same user:

If I access site1.cookiedomain.com FIRST the SSO works Fine

If I access site2.cookiedomain.com SECOND the SSO to site2 does not work. Error message is

 

If I restart the rba and websso daemons and clear my browser cookies then retry like this:

site2.cookiedomain.com FIRST the SSO works Fine

If I access site1.cookiedomain.com SECOND the SSO to site1 does not work. Error message is

 

S4U ======> - NO cached S4U2Proxy ticket for user: user@DOMAIN.COM server: HTTP/site2.cookiedomain.com@COMMUN01.SVC - trying to fetch

S4U ======> - NO cached S4U2Self ticket for user: user@DOMAIN.COM - trying to fetch

Kerberos: can't get S4U2Self ticket for user user@DOMAIN.COM - Matching credential not found (-1765328243)

Kerberos: Failed to get ticket for user user@DOMAIN.COM

failure occurred when processing the work item

 

If I use the same kerberos SSO configuration for both APM policies both sites2 work fine.

 

The reason I'm using this setup is I have two web server farms using the same AD domain and the same cookie domain.

If I use two SSO configs with separate service accounts for APM access with the same user does not work for the second site on the second farm.

 

I've tried playing with the profile scope by setting the three different options but still get the same result.

The only working scenario is using the same kerberso sso configuration for both APM policy profiles.

 

The goal of this setup is to be able to isolate both VS and APM policy configuration.

APM Policy profiles are using different resources (different AAA Pool names and TrustedDomain configuration) even if I'm using the same AD servers behind.

 

Anyone to shed any lights on this?

 

  • Hello, what version are you on? Previous to 13.1 you could not use 2 Kerberos Delegation Accounts for the same Realm.

     

    https://cdn.f5.com/product/bugtracker/ID445501.html

     

    "It is now possible to use multiple kerberos S4U constrained delegation accounts for the same realm by configuring separate kerberos SSO objects and switching between them using iRules, Portal Access ACLs, multidomain mode SSO, or a Per-Request Access Policy switch."

  • Hello, what version are you on? Previous to 13.1 you could not use 2 Kerberos Delegation Accounts for the same Realm.

     

    https://cdn.f5.com/product/bugtracker/ID445501.html

     

    "It is now possible to use multiple kerberos S4U constrained delegation accounts for the same realm by configuring separate kerberos SSO objects and switching between them using iRules, Portal Access ACLs, multidomain mode SSO, or a Per-Request Access Policy switch."

  • I understand APM finds a cached ticket for user@cookiedomain.com for site1.cookiedomain.com fetched by the first service account but when it tries to get a S4U2Self for the same user using the second service account it fails:

     

     Websso Kerberos authentication for user 'user' using config '/CustomPart/Site2APMPolicy'

    adding item to WorkQueue

    ctx:0xa23d450 SPN = HTTP/site2.cookiedomain.com@DOMAIN.COM

    S4U ======> user: user@DOMAIN.COM, SPN: HTTP/site2.cookiedomain.com@DOMAIN.COM

    Getting UCC:user@DOMAIN.COM@DOMAINC.OM, lifetime:36000

    Found UCC:user@DOMAIN.COM@DOMAINC.OM, lifetime:36000 left:35528

    UCCmap.size = 1

    S4U ======> - NO cached S4U2Proxy ticket for user: user@DOMAIN.COM server: HTTP/site2.cookiedomain.com@COMMUN01.SVC - trying to fetch

    S4U ======> - NO cached S4U2Self ticket for user: user@DOMAIN.COM - trying to fetch

    Kerberos: can't get S4U2Self ticket for user user@DOMAIN.COM - Matching credential not found (-1765328243)

    Kerberos: Failed to get ticket for user user@DOMAIN.COM

    failure occurred when processing the work item

  • Well that explains it all. Thanks a bunch. I'm on 12.1 (BIGIP 12.1.3.0.0.378).