Forum Discussion

JoeTheFifth's avatar
JoeTheFifth
Icon for Altostratus rankAltostratus
Sep 20, 2019
Solved

APM Policy scope/SSO Configuration

Back on track here after the devcentral migration. Like others I'm having a hard time finding content with all the 404 search errors. Well, I have an APM policy I imported on two virtual servers. I...
  • Dave_W's avatar
    Dave_W
    Sep 20, 2019

    Hello, what version are you on? Previous to 13.1 you could not use 2 Kerberos Delegation Accounts for the same Realm.

     

    https://cdn.f5.com/product/bugtracker/ID445501.html

     

    "It is now possible to use multiple kerberos S4U constrained delegation accounts for the same realm by configuring separate kerberos SSO objects and switching between them using iRules, Portal Access ACLs, multidomain mode SSO, or a Per-Request Access Policy switch."

JoeTheFifth's avatar
JoeTheFifth
Icon for Altostratus rankAltostratus
Sep 20, 2019

I understand APM finds a cached ticket for [email protected] for site1.cookiedomain.com fetched by the first service account but when it tries to get a S4U2Self for the same user using the second service account it fails:

 

 Websso Kerberos authentication for user 'user' using config '/CustomPart/Site2APMPolicy'

adding item to WorkQueue

ctx:0xa23d450 SPN = HTTP/[email protected]

S4U ======> user: [email protected], SPN: HTTP/[email protected]

Getting UCC:[email protected]@DOMAINC.OM, lifetime:36000

Found UCC:[email protected]@DOMAINC.OM, lifetime:36000 left:35528

UCCmap.size = 1

S4U ======> - NO cached S4U2Proxy ticket for user: [email protected] server: HTTP/[email protected] - trying to fetch

S4U ======> - NO cached S4U2Self ticket for user: [email protected] - trying to fetch

Kerberos: can't get S4U2Self ticket for user [email protected] - Matching credential not found (-1765328243)

Kerberos: Failed to get ticket for user [email protected]

failure occurred when processing the work item

Related Content