Forum Discussion
AltostratusBigIP APM KCD Multiple Forests
AltostratusAPM log when using Kerb SSO Conf of domainA (kerb service account in domain A):
8472f4ff: Websso Kerberos authentication for user 'userb' using config '/Common/F5-ADFSProxy-KerbSSO' 8472f4ff: adding item to WorkQueue sid:8472f4ff ctx:0x8676928 server address = ::ffff:10.0.10.3 sid:8472f4ff ctx:0x8676928 SPN = HTTP/webapp1.coolapp.com@DOMAINA.COM S4U ======> ctx: 8472f4ff, sid: 0x8676928, user: userb@DOMAINB.COM, SPN: HTTP/webappb1.coolapp.com@DOMAINA.COM Getting UCC:userb@DOMAINB.COM@DOMAINA.COM, lifetime:36000 Found UCC:userb@DOMAINB.COM@DOMAINA.COM, lifetime:36000 left:35563 UCCmap.size = 4 S4U ======> - NO cached S4U2Proxy ticket for user: userb@DOMAINB.COM server: HTTP/webappb1.coolapp.com@DOMAINA.COM - trying to fetch S4U ======> - NO cached S4U2Self ticket for user: userb@DOMAINB.COM - trying to fetch Kerberos: can't get S4U2Self ticket for user userb@DOMAINB.COM - Realm not local to KDC (-1765328316) 8472f4ff: Kerberos: Failed to get ticket for user userb@DOMAINB.COM
user domain is ok web server domain is ok result KO
Now: using a kerb sso conf with a service account in domainb
info websso.1[14088]: 014d0011:6: 9c741e95: Websso Kerberos authentication for user 'userb' using config '/Common/DOMAINB-KCD' debug websso.1[14088]: 014d0046:7: 9c741e95: adding item to WorkQueue debug websso.1[14088]: 014d0018:7: sid:9c741e95 ctx:0x8676928 server address = ::ffff:10.0.10.3 debug websso.1[14088]: 014d0021:7: sid:9c741e95 ctx:0x8676928 SPN = HTTP/webapp1.coolapp.com@DOMAINB.COM debug websso.1[14088]: 014d0023:7: S4U ======> ctx: 9c741e95, sid: 0x8676928, user: userb@DOMAINB.COM, SPN: HTTP/webapp1.coolapp.com@DOMAINB.COM debug websso.1[14088]: 014d0001:7: Getting UCC:userb@DOMAINB.COM@DOMAINB.COM, lifetime:36000 debug websso.1[14088]: 014d0001:7: Found UCC:userb@DOMAINB.COM@DOMAINB.COM, lifetime:36000 left:35280 debug websso.1[14088]: 014d0001:7: UCCmap.size = 4 debug websso.1[14088]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: userb@DOMAINB.COM server: HTTP/webapp1.coolapp.com@DOMAINB.COM - trying debug websso.1[14088]: 014d0001:7: S4U ======> trying to fetch S4U2Proxy ticket for user: userb@DOMAINB.COM server: HTTP/webapp1.coolapp.com@DOMAINB.COM err websso.1[14088]: 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/webapp1.coolapp.com@DOMAINB.COM - Requesting ticket can't get forwardable ticke err websso.1[14088]: 014d0024:3: 9c741e95: Kerberos: Failed to get ticket for user userb@DOMAINB.COM
user domain is ok server domain is KO Result KO
