Forum Discussion

Nimbostratus

Sep 12, 2013

Kerberos - mutliple VS, multiple SSO, Same Domains errors

we have a web application in dev, qa and prerod.. we want to use Kerberos to auth the users to the web app.. each environment has its own group of web servers.. On the f5, we have different VS, kerberos AAA, kerberos SSO, access policies associated with each environment.. we got the Dev environment to work (client and server side)..

we used the same configs and created new stuff for the next environment.. tried it out and i can get to dev.domain.com but cant for preprod.domain.com.. waited an hour and then i could get to preprod.domain.com but not dev.domain.com.. i see the following errors in the APM logs (set to debug)..

Sep 11 22:29:32 F5-Server01 info websso.1[32091]: 014d0011:6: c62ea9c7: Websso ‎Kerberos authentication for user 'UserA' using config '/Common/sso-kerberos-preprod'‎ \ Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0046:7: c62ea9c7: adding ‎item to WorkQueue Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0018:7: ‎sid:c62ea9c7 ctx:0x91ea4a8 server address = ::ffff:10.20.50.40

Sep 11 22:29:32 ‎F5-Server01 debug websso.1[32091]: 014d0021:7: sid:c62ea9c7 ctx:0x91ea4a8 SPN = ‎HTTP/webserv01.DOMAIN.COM@DOMAIN.COM

Sep 11 22:29:32 F5-Server01 debug ‎websso.1[32091]: 014d0023:7: S4U ======> ctx: c62ea9c7, sid: 0x91ea4a8, user: ‎UserA@DOMAIN.COM, SPN: HTTP/webserv01.DOMAIN.COM@DOMAIN.COM

Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: Getting UCC:UserA@DOMAIN.COM@DOMAIN.COM, ‎lifetime:36000

Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: ‎Found UCC:UserA@DOMAIN.COM@DOMAIN.COM, lifetime:36000 left:28611

Sep 11 22:29:32 ‎F5-Server01 debug websso.1[32091]: 014d0001:7: UCCmap.size = 8, UCClist.size = 8 ‎

Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: S4U ======> - NO ‎cached S4U2Proxy ticket for user: UserA@DOMAIN.COM server: ‎HTTP/webserv01.DOMAIN.COM@DOMAIN.COM - trying to fetch

Sep 11 22:29:32 F5-Server01 ‎debug websso.1[32091]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for ‎user: UserA@DOMAIN.COM - trying to fetch

Sep 11 22:29:32 F5-Server01 err websso.1[32091]: 014d0005:3: Kerberos: can't get ‎S4U2Self ticket for user UserA@DOMAIN.COM - Matching credential not found (-‎‎1765328243) ‎

Sep 11 22:29:32 F5-Server01 err websso.1[32091]: 014d0024:3: c62ea9c7: Kerberos: ‎Failed to get ticket for user UserA@DOMAIN.COM

Sep 11 22:29:32 F5-Server01 err ‎websso.1[32091]: 014d0048:3: c62ea9c7: failure occurred when processing the ‎work item

Sep 11 22:29:32 F5-Server01 err websso.1[32091]: 014d0048:3: c62ea9c7: ‎failure occurred when processing the work item

Sep 11 22:29:32 F5-Server01 debug ‎websso.1[32091]: 014d0001:7: ctx: 0x93292f0, SERVER: TMEVT_NOTIFY

Sep 11 ‎‎22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: ctx: 0x93292f0, SERVER: ‎TMEVT_RESPONSE

Any Ideas??

BIG-IP Access Policy Manager (APM)

design

kerberos

security

9 Replies

Kevin_Stewart
Employee
Sep 12, 2013
tried it out and i can get to dev.domain.com but cant for preprod.domain.com.. waited an hour and then i could get to preprod.domain.com but not dev.domain.com

Which BIG-IP version?
AngryCat_52750
Nimbostratus
Sep 13, 2013
this morning, we move our PreProd environment temporarily to our LAB F5..

By doing this, we were able to get both environments up at the same time..

the issue seems to be that we can not have both environment setup on the same F5 appliance..

if i have both setups on the same appliance, a user can only access on environment. and for them to get to the other environment, i have to restart the websso service..

Kevin - what version of F5 are you running?? we are wondering if this is a bug in 11.3 HF6 and maybe we need to roll back down to a working version or up to 11.4...
- Kevin_Stewart
  Employee
  Sep 13, 2013
  I vaguely recall this same issue popping up in 11.3 HF3 for someone else, and I know it worked in 11.2.1. I'll test in 11.4 and let you know.
- AngryCat_52750
  Nimbostratus
  Sep 13, 2013
  thank you very much..
- AngryCat_52750
  Nimbostratus
  Sep 13, 2013
  i will do the same on my lab box..
AngryCat_52750
Nimbostratus
Sep 16, 2013
Tried on 11.4 and that didnt allow me to connect to two environments at the same time from the same appliance.. Will downgrade lab to 11.2.1 this morning..
Antoine_80417
Nimbostratus
Oct 24, 2013
Hi,

I don't know if you still have the issue but I ran into it today too.

From what I figured out, the problem is caused by the Kerberos cache. When you have a Kerberos ticket in the cache for a user that was delegated by the account for domain A, and that you want to access an application that use the SSO configuration for domain B, the ticket generation will fail because the AD will not be able to decrypt the ticket issued earlier. Don't know if it's clear enough... I will open a case to the F5 support because from what I understand the Kerberos cache is shared and it should not be.

Antoine
- Kevin_Stewart
  Employee
  Oct 24, 2013
  Thanks for the insight Antoine. There's already a case open for this (probably a few), but please do open another. This will help elevate the cause.
Antoine_80417
Nimbostratus
Jan 28, 2014
Hi folks,

After a while, some news on this problem : the MIT Kerberos library that is used by F5 does not allow more than one delegation account per realm, with causes the issue.

I asked for a RFE to be opened to correct that and it was accepted by the Engineering team. Here is the ID so you can ask your Sales Rep to subscribe you to this ID, this will help the RFE to be moved up the pile : BZ445501.

Antoine