Forum Discussion

Wand_97484's avatar
Icon for Nimbostratus rankNimbostratus
Jan 13, 2011

ASM - Kereberos protocol transition

Hi everyone, just want to share my experience with the kerberos delegation / protocol transition feature in 10.2. Kerberos Delegation works fine for me (was stuck first with reverse lookup), but works fine now. Kerberos protocol transition doesn't work yet for me, I added some logging lines to the default iRule and can see that the LTM receives the User Certificate.



15:05:16 CET 2011 info local/tmm3 tmm3[5695] Rule iRule_krbdelegate_logging : Protocol Transition with CERT: 3005218020 0?¦0?? qèØs????=0 *?H?÷ ??01!0UOnline CA0 110111160632Z 120111160632Z010UTest.User0?"0 *?H?÷ ?????0? ???¿¯Wçwçå@Ä`,z?îY¯ÓùêÀ¾è[îÀ�½B?ä�Êxé¸ù??`ïÒM*?`2SoÊÙm?§???¿gW?©Pk³¿¬??R|Ã?�áX8Õ05ÈoÐkPm^¹ÍÁ5OC*?o¥?I?3ùÊ*?{¬p[ß,+Õõ¢Ô�>?½1Ô¦ ÂÕË5Lð¦sÛÈ[?4yÔ:RWØûPÊ{2­A~CgékH@?ä?R¤¯Ëï??H�´Ê´R2@m÷?å¿í?ÏèøSÉ?BÞMaí?ÈÈ)GqÅnÜÑ?VæRÏ£¼ók{°ÉîRYI?]G;hæ1S±Öva ???£?ã0?ß0 U 0D *?H?÷ 7050*?H?÷ ???0*?H?÷ ???0+0 *?H?÷ 0U¦µ¤9 6mÚ?,ö{XUÐ?F0> +?710/'+?7?ô�G?ó?7?Õ?-?ÿ�$?ÓÓ�"�?Ñ ?Ëúd 0U0?Éú_[u½Õµ?T%?b¿â[M0?,U?0?0? ? ??�Èldap:/



At the network I see that the LTM sends out a AS-REQ, but receives a KRB_ERROR: KRB5KDC_ERR_PREAUTH_REQUIRED, followed by another AS-RQ failing with a KRB_ERROR: KRB5KDC_ERR_PREAUTH_FAILED. In addition to the F5 config Guide, I added "DONT_REQ_PREAUTH" ( to the computer accounts useraccountcontroll attribute.


With this settings I receive a different Kerberos error AS-REP NT Status: unknown error code 0x2e465341.



So I'm pretty much stuck with the protocol transition feature.



Any Tips which trick I'm missing?


BTW: Since the krbdelegate iRule has the Certificate Authentication hardcoded, does someone replaced Certificate Auth by another one?









2 Replies

  • Jens,



    Can I assume that the domaintool setup worked without error? Which TMOS version? Try turning on logging in the Kerberos configuration and report back what gets recorded in /var/log/secure.



    Kerberos Constrained Delegation requires 9.4.5 or higher, while Kerberos Protocol Transition requires 10.1 or higher.



    In the meantime, here are some additional troubleshooting steps (most of which revolve around getting domaintool to work):




    1. Make sure time is synchronized between the LTM and the domain controller.



    To be absolutely sure, you can register the DC as a time server with the following command:


    w32tm /register



    Then in the LTM shell, issue the following commands:


    /etc/init.d/ntpd stop




    /etc/init.d/ntpd start




    2. Make sure the LTM has the Advanced Client Authentication Module licensed.



    Check the licensing page for this module.




    3. Make sure the LTM is using the domain controller as its primary DNS.



    Find this in the management GUI under System | Configuration | Device | DNS.




    4. Make sure the fully qualified domain name of the external VIP host is registered in AD DNS.



    If the domain of the VIP is different than the AD domain, you need to create a new domain root in DNS. For example: while the AD domain name is “”, the external VIP host (the address that clients will connect to with their browser, is “”. Create a new root DNS tree for and create a record there for “vip”. Also make sure that you’ve created a PTR record for the VIP. Finally, if you’re setting this up for constrained delegation (vs. KPT), then the IP address in DNS needs to match the VIP IP address.




    5. Make sure the account you’re using for domaintool has adequate permissions in the domain.



    At a minimum, the account needs to be able to create AD server accounts and assign Kerberos keys. A power user or local admin does not have these rights. For simplicity a domain administrator is usually best.




    6. Make sure you can do a forward and reverse DNS lookup of the external host fully qualified domain name.



    With DNS set up you should be able to do forward and reverse DNS lookups of your host VIP FQDN (using dig or nslookup from the LTM command line). Use the full domain name unless you’ve added the DNS suffix search order to your LTM DNS configuration.




    7. Edit the /etc/krb5.conf file to remove any erroneous entries.



    It's possible that the default EXAMPLE.COM domain can stay in the configuration file as the default realm. Remove anything to do with EXAMPLE.COM.




    8. Make sure the cyrus-sasl-gssapi RPM package is installed.



    Use the command “rpm –qa |grep sasl” in the LTM shell to see if this RPM is loaded. If it’s missing you can extract the RPM from the LTM ISO file and install it manually (cyrus-sasl-gssapi-2.1.22-5.el5.156.0.i686.rpm).




    9. Make sure the domain is raised to its highest functional level.



    It is likely that if the delegation tab is missing from server objects in the AD, that the domain is still at the Windows 2000 functional level. In the Active Directory Users and Computers MMC snap-in, right click the domain in the left-hand tree object and select “Raise Domain Functional Level…”. Select the highest operating system level.




    10. Make sure that the LTM can make a successful TLS connection to the domain controller.



    Successful use of the domaintool (and underlying msktutil) correlates with successful establishment of a TLS connection between the LTM and the domain controller. This may indicate that the domain controller does not have a server certificate installed. Installing the Microsoft CA (Certificate Authority) service will automatically install server or domain controller certificates on all Windows servers in the AD. The server certificates should have, at a minimum, Server Authentication as a key usage extension. Certificate issues are linked to many of the SASL LDAP BIND errors.









  • Hi Kevin,



    many thanks for your fully detailed answer.


    Did a lot of testing with F5 support in the end and the problem was the sequence of Ciphers in my krb5.conf file.




    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5


    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5



    initialy I added the rc4-hmac at the end, because of the AD Domain Policy.



    BTW: Transition works only within a single AD Domain.