Forum Discussion

Altostratus

Sep 20, 2019

Solved

APM Policy scope/SSO Configuration

Back on track here after the devcentral migration. Like others I'm having a hard time finding content with all the 404 search errors. Well, I have an APM policy I imported on two virtual servers. I...

Dave_W
Sep 20, 2019
Hello, what version are you on? Previous to 13.1 you could not use 2 Kerberos Delegation Accounts for the same Realm.

https://cdn.f5.com/product/bugtracker/ID445501.html

"It is now possible to use multiple kerberos S4U constrained delegation accounts for the same realm by configuring separate kerberos SSO objects and switching between them using iRules, Portal Access ACLs, multidomain mode SSO, or a Per-Request Access Policy switch."

JoeTheFifth

Altostratus

Sep 20, 2019

I understand APM finds a cached ticket for user@cookiedomain.com for site1.cookiedomain.com fetched by the first service account but when it tries to get a S4U2Self for the same user using the second service account it fails:

Websso Kerberos authentication for user 'user' using config '/CustomPart/Site2APMPolicy'

adding item to WorkQueue

ctx:0xa23d450 SPN = HTTP/site2.cookiedomain.com@DOMAIN.COM

S4U ======> user: user@DOMAIN.COM, SPN: HTTP/site2.cookiedomain.com@DOMAIN.COM

Getting UCC:user@DOMAIN.COM@DOMAINC.OM, lifetime:36000

Found UCC:user@DOMAIN.COM@DOMAINC.OM, lifetime:36000 left:35528

UCCmap.size = 1

S4U ======> - NO cached S4U2Proxy ticket for user: user@DOMAIN.COM server: HTTP/site2.cookiedomain.com@COMMUN01.SVC - trying to fetch

S4U ======> - NO cached S4U2Self ticket for user: user@DOMAIN.COM - trying to fetch

Kerberos: can't get S4U2Self ticket for user user@DOMAIN.COM - Matching credential not found (-1765328243)

Kerberos: Failed to get ticket for user user@DOMAIN.COM

failure occurred when processing the work item