Forum Discussion
JoeTheFifth
Altostratus
AltostratusAPM Policy scope/SSO Configuration
Back on track here after the devcentral migration. Like others I'm having a hard time finding content with all the 404 search errors. Well, I have an APM policy I imported on two virtual servers. I...
Hello, what version are you on? Previous to 13.1 you could not use 2 Kerberos Delegation Accounts for the same Realm.
https://cdn.f5.com/product/bugtracker/ID445501.html
"It is now possible to use multiple kerberos S4U constrained delegation accounts for the same realm by configuring separate kerberos SSO objects and switching between them using iRules, Portal Access ACLs, multidomain mode SSO, or a Per-Request Access Policy switch."
JoeTheFifthAltostratus
AltostratusI understand APM finds a cached ticket for user@cookiedomain.com for site1.cookiedomain.com fetched by the first service account but when it tries to get a S4U2Self for the same user using the second service account it fails:
Websso Kerberos authentication for user 'user' using config '/CustomPart/Site2APMPolicy'
adding item to WorkQueue
ctx:0xa23d450 SPN = HTTP/site2.cookiedomain.com@DOMAIN.COM
S4U ======> user: user@DOMAIN.COM, SPN: HTTP/site2.cookiedomain.com@DOMAIN.COM
Getting UCC:user@DOMAIN.COM@DOMAINC.OM, lifetime:36000
Found UCC:user@DOMAIN.COM@DOMAINC.OM, lifetime:36000 left:35528
UCCmap.size = 1
S4U ======> - NO cached S4U2Proxy ticket for user: user@DOMAIN.COM server: HTTP/site2.cookiedomain.com@COMMUN01.SVC - trying to fetch
S4U ======> - NO cached S4U2Self ticket for user: user@DOMAIN.COM - trying to fetch
Kerberos: can't get S4U2Self ticket for user user@DOMAIN.COM - Matching credential not found (-1765328243)
Kerberos: Failed to get ticket for user user@DOMAIN.COM
failure occurred when processing the work item