Forum Discussion
APM Policy scope/SSO Configuration
- Sep 20, 2019
Hello, what version are you on? Previous to 13.1 you could not use 2 Kerberos Delegation Accounts for the same Realm.
https://cdn.f5.com/product/bugtracker/ID445501.html
"It is now possible to use multiple kerberos S4U constrained delegation accounts for the same realm by configuring separate kerberos SSO objects and switching between them using iRules, Portal Access ACLs, multidomain mode SSO, or a Per-Request Access Policy switch."
I understand APM finds a cached ticket for user@cookiedomain.com for site1.cookiedomain.com fetched by the first service account but when it tries to get a S4U2Self for the same user using the second service account it fails:
Websso Kerberos authentication for user 'user' using config '/CustomPart/Site2APMPolicy'
adding item to WorkQueue
ctx:0xa23d450 SPN = HTTP/site2.cookiedomain.com@DOMAIN.COM
S4U ======> user: user@DOMAIN.COM, SPN: HTTP/site2.cookiedomain.com@DOMAIN.COM
Getting UCC:user@DOMAIN.COM@DOMAINC.OM, lifetime:36000
Found UCC:user@DOMAIN.COM@DOMAINC.OM, lifetime:36000 left:35528
UCCmap.size = 1
S4U ======> - NO cached S4U2Proxy ticket for user: user@DOMAIN.COM server: HTTP/site2.cookiedomain.com@COMMUN01.SVC - trying to fetch
S4U ======> - NO cached S4U2Self ticket for user: user@DOMAIN.COM - trying to fetch
Kerberos: can't get S4U2Self ticket for user user@DOMAIN.COM - Matching credential not found (-1765328243)
Kerberos: Failed to get ticket for user user@DOMAIN.COM
failure occurred when processing the work item
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com