For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kolom's avatar
kolom
Icon for Altostratus rankAltostratus
Jun 15, 2016

APM SSO config using Kerberos Error

Hi everyone,

 

we are trying to perform SSO using kerberos , but we encountered the error

 

Jun 15 11:06:44 VF-Sapre debug websso.0[13541]: 014d0001:7: TGT expires:1466017604 CC count:0 Jun 15 11:06:44 VF-Sapre debug websso.0[13541]: 014d0001:7: Initialized UCC:minemine@LDAP-IBRAHIM.TEST@LDAP-IBRAHIM.TEST, lifetime:36000 kcc:0x8718dc8 Jun 15 11:06:44 VF-Sapre debug websso.0[13541]: 014d0001:7: UCCmap.size = 1, UCClist.size = 1 Jun 15 11:06:44 VF-Sapre debug websso.0[13541]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: minemine@LDAP-IBRAHIM.TEST server: HTTP/haza.ldap-ibrahim.test@LDAP-IBRAHIM.TEST - trying to fetch Jun 15 11:06:44 VF-Sapre debug websso.0[13541]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for user: minemine@LDAP-IBRAHIM.TEST - trying to fetch Jun 15 11:06:44 VF-Sapre err websso.0[13541]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user minemine@LDAP-IBRAHIM.TEST - KDC has no support for padata type (-1765328368) Jun 15 11:06:44 VF-Sapre err websso.0[13541]: 014d0024:3: 4ba1e5d1: Kerberos: Failed to get ticket for user minemine@LDAP-IBRAHIM.TEST Jun 15 11:06:44 VF-Sapre err websso.0[13541]: 014d0048:3: 4ba1e5d1: failure occurred when processing the work item

 

could anyone help me with that error , what does it mean and how can i resolve it KDC has no support for padata type (-1765328368)

 

Thanks

 

application delivery
BIG-IP Access Policy Manager (APM)

5 Replies

  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Jun 15, 2016

    Hi,

     

    Do you have a Domain Controller Authentication Certificate on your KDC ? If not, you probably need to generate one otherwise it will fail.

     

    • kolom's avatar
      kolom
      Icon for Altostratus rankAltostratus
      Jun 15, 2016
      thanks for your fast reply i do have a self-signed certificate
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 15, 2016

    Hi,

     

    Do you have a Domain Controller Authentication Certificate on your KDC ? If not, you probably need to generate one otherwise it will fail.

     

    • kolom's avatar
      kolom
      Icon for Altostratus rankAltostratus
      Jun 15, 2016
      thanks for your fast reply i do have a self-signed certificate
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Jun 15, 2016

    Is "minemine" the delegation account, or the user account that you are trying to make APM delegate by using the delegation account?

     

    I searched for this error and it seems to happen when people mix up the user account and the delegation account. Might not be the problem, but this is an error being thrown by the KDC. APM is just reporting the error to you, so you might want to start by googling the error to understand its meaning.