Jens,
Can I assume that the domaintool setup worked without error? Which TMOS version? Try turning on logging in the Kerberos configuration and report back what gets recorded in /var/log/secure.
Kerberos Constrained Delegation requires 9.4.5 or higher, while Kerberos Protocol Transition requires 10.1 or higher.
In the meantime, here are some additional troubleshooting steps (most of which revolve around getting domaintool to work):
1. Make sure time is synchronized between the LTM and the domain controller.
To be absolutely sure, you can register the DC as a time server with the following command:
w32tm /register
Then in the LTM shell, issue the following commands:
/etc/init.d/ntpd stop
ntpdate
/etc/init.d/ntpd start
2. Make sure the LTM has the Advanced Client Authentication Module licensed.
Check the licensing page for this module.
3. Make sure the LTM is using the domain controller as its primary DNS.
Find this in the management GUI under System | Configuration | Device | DNS.
4. Make sure the fully qualified domain name of the external VIP host is registered in AD DNS.
If the domain of the VIP is different than the AD domain, you need to create a new domain root in DNS. For example: while the AD domain name is “apps.mydomain.tester.com”, the external VIP host (the address that clients will connect to with their browser, is “vip.testing.com”. Create a new root DNS tree for testing.com and create a record there for “vip”. Also make sure that you’ve created a PTR record for the VIP. Finally, if you’re setting this up for constrained delegation (vs. KPT), then the IP address in DNS needs to match the VIP IP address.
5. Make sure the account you’re using for domaintool has adequate permissions in the domain.
At a minimum, the account needs to be able to create AD server accounts and assign Kerberos keys. A power user or local admin does not have these rights. For simplicity a domain administrator is usually best.
6. Make sure you can do a forward and reverse DNS lookup of the external host fully qualified domain name.
With DNS set up you should be able to do forward and reverse DNS lookups of your host VIP FQDN (using dig or nslookup from the LTM command line). Use the full domain name unless you’ve added the DNS suffix search order to your LTM DNS configuration.
7. Edit the /etc/krb5.conf file to remove any erroneous entries.
It's possible that the default EXAMPLE.COM domain can stay in the configuration file as the default realm. Remove anything to do with EXAMPLE.COM.
8. Make sure the cyrus-sasl-gssapi RPM package is installed.
Use the command “rpm –qa |grep sasl” in the LTM shell to see if this RPM is loaded. If it’s missing you can extract the RPM from the LTM ISO file and install it manually (cyrus-sasl-gssapi-2.1.22-5.el5.156.0.i686.rpm).
9. Make sure the domain is raised to its highest functional level.
It is likely that if the delegation tab is missing from server objects in the AD, that the domain is still at the Windows 2000 functional level. In the Active Directory Users and Computers MMC snap-in, right click the domain in the left-hand tree object and select “Raise Domain Functional Level…”. Select the highest operating system level.
10. Make sure that the LTM can make a successful TLS connection to the domain controller.
Successful use of the domaintool (and underlying msktutil) correlates with successful establishment of a TLS connection between the LTM and the domain controller. This may indicate that the domain controller does not have a server certificate installed. Installing the Microsoft CA (Certificate Authority) service will automatically install server or domain controller certificates on all Windows servers in the AD. The server certificates should have, at a minimum, Server Authentication as a key usage extension. Certificate issues are linked to many of the SASL LDAP BIND errors.
HTH
Kevin
Nimbostratus
