Forum Discussion
Kerberos - mutliple VS, multiple SSO, Same Domains errors
we have a web application in dev, qa and prerod.. we want to use Kerberos to auth the users to the web app.. each environment has its own group of web servers.. On the f5, we have different VS, kerberos AAA, kerberos SSO, access policies associated with each environment.. we got the Dev environment to work (client and server side)..
we used the same configs and created new stuff for the next environment.. tried it out and i can get to dev.domain.com but cant for preprod.domain.com.. waited an hour and then i could get to preprod.domain.com but not dev.domain.com.. i see the following errors in the APM logs (set to debug)..
Sep 11 22:29:32 F5-Server01 info websso.1[32091]: 014d0011:6: c62ea9c7: Websso Kerberos authentication for user 'UserA' using config '/Common/sso-kerberos-preprod' \ Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0046:7: c62ea9c7: adding item to WorkQueue Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0018:7: sid:c62ea9c7 ctx:0x91ea4a8 server address = ::ffff:10.20.50.40
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0021:7: sid:c62ea9c7 ctx:0x91ea4a8 SPN = HTTP/webserv01.DOMAIN.COM@DOMAIN.COM
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0023:7: S4U ======> ctx: c62ea9c7, sid: 0x91ea4a8, user: UserA@DOMAIN.COM, SPN: HTTP/webserv01.DOMAIN.COM@DOMAIN.COM
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: Getting UCC:UserA@DOMAIN.COM@DOMAIN.COM, lifetime:36000
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: Found UCC:UserA@DOMAIN.COM@DOMAIN.COM, lifetime:36000 left:28611
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: UCCmap.size = 8, UCClist.size = 8
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: UserA@DOMAIN.COM server: HTTP/webserv01.DOMAIN.COM@DOMAIN.COM - trying to fetch
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for user: UserA@DOMAIN.COM - trying to fetch
Sep 11 22:29:32 F5-Server01 err websso.1[32091]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user UserA@DOMAIN.COM - Matching credential not found (-1765328243)
Sep 11 22:29:32 F5-Server01 err websso.1[32091]: 014d0024:3: c62ea9c7: Kerberos: Failed to get ticket for user UserA@DOMAIN.COM
Sep 11 22:29:32 F5-Server01 err websso.1[32091]: 014d0048:3: c62ea9c7: failure occurred when processing the work item
Sep 11 22:29:32 F5-Server01 err websso.1[32091]: 014d0048:3: c62ea9c7: failure occurred when processing the work item
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: ctx: 0x93292f0, SERVER: TMEVT_NOTIFY
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: ctx: 0x93292f0, SERVER: TMEVT_RESPONSE
Any Ideas??
9 Replies
- Kevin_Stewart
Employee
tried it out and i can get to dev.domain.com but cant for preprod.domain.com.. waited an hour and then i could get to preprod.domain.com but not dev.domain.com
Which BIG-IP version?
- AngryCat_52750
Nimbostratus
this morning, we move our PreProd environment temporarily to our LAB F5..
By doing this, we were able to get both environments up at the same time..
the issue seems to be that we can not have both environment setup on the same F5 appliance..
if i have both setups on the same appliance, a user can only access on environment. and for them to get to the other environment, i have to restart the websso service..
Kevin - what version of F5 are you running?? we are wondering if this is a bug in 11.3 HF6 and maybe we need to roll back down to a working version or up to 11.4...
- Kevin_Stewart
Employee
I vaguely recall this same issue popping up in 11.3 HF3 for someone else, and I know it worked in 11.2.1. I'll test in 11.4 and let you know. - AngryCat_52750
Nimbostratus
thank you very much.. - AngryCat_52750
Nimbostratus
i will do the same on my lab box..
- AngryCat_52750
Nimbostratus
Tried on 11.4 and that didnt allow me to connect to two environments at the same time from the same appliance.. Will downgrade lab to 11.2.1 this morning..
- Antoine_80417
Nimbostratus
Hi,
I don't know if you still have the issue but I ran into it today too.
From what I figured out, the problem is caused by the Kerberos cache. When you have a Kerberos ticket in the cache for a user that was delegated by the account for domain A, and that you want to access an application that use the SSO configuration for domain B, the ticket generation will fail because the AD will not be able to decrypt the ticket issued earlier. Don't know if it's clear enough... I will open a case to the F5 support because from what I understand the Kerberos cache is shared and it should not be.
Antoine
- Kevin_Stewart
Employee
Thanks for the insight Antoine. There's already a case open for this (probably a few), but please do open another. This will help elevate the cause.
- Antoine_80417
Nimbostratus
Hi folks,
After a while, some news on this problem : the MIT Kerberos library that is used by F5 does not allow more than one delegation account per realm, with causes the issue.
I asked for a RFE to be opened to correct that and it was accepted by the Engineering team. Here is the ID so you can ask your Sales Rep to subscribe you to this ID, this will help the RFE to be moved up the pile : BZ445501.
Antoine
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com