Forum Discussion

PK_294685's avatar
PK_294685
Icon for Nimbostratus rankNimbostratus
Feb 06, 2019

Kerberos AAA login pop-up issue

Folks,

 

Before posting this question I went through a bunch of posts/articles to fix my issue. Unfortunately, I had to post this anyway to find help to fix my issue!

Here we go!

I have a Virtual server (companyA.example.com:443)

An access policy with a 401 response agent followed by Kerberos Auth agent is assigned to the VIP.

Users are in domain (inside.corp)

AD setup:

A service account is setup on AD server (f5-service-account)

Keytab:

c:>ktpass -princ HTTP/companyA.example.com@INSIDE.CORP -mapuser f5-service-account@INSIDE.CORP -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass somepassword -out c:\temp\krb-sso.keytab

SPN

setspn -U -A HTTP/companyA.example.com f5-service-account

F5 setup

The keytab file is uploaded under Access->AAA->kerberos & auth realm INSIDE.CORP is used.

When tested with APM in debug mode, I found below error in the logs

 

modules/Authentication/Kerberos/KerberosAuthModule.cpp func: "display_status_1()" line: 91 Msg: 8efe1717 : GSS-API error gss_accept_sec_context: d0000 : Unspecified GSS failure.  Minor code may provide more information

 

From Client side, SSO doesn't work and getting a browser pop-up where i can input the credentials. Entering the creds doesn't work either.

APM VPE:

Any help is greatly appreciated! Thanks in advance!

 

application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)
kerberos
kerberos sso
  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    Feb 07, 2019

    Are you able to share a screenshot of the AAA->kerberos configuration?

     

    Cheers,

     

    Kees

     

  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    Feb 07, 2019

    Is example.com part of the inside.corp domain? And is it in the trusted site list (or intranet site) in internet explorer?

     

    Cheers,

     

    Kees

     

  • P_K's avatar
    P_K
    Icon for Altostratus rankAltostratus
    Feb 07, 2019

    1. I don't think example.com is part of inside.corp. Can you elaborate your question?

       

      users are in inside.corp domain. Basic AD auth works fine (username/password) but not SSO.

       

    2. yes, example.com is in the trusted list on the users internet explorer.

       

    Here's some more details on the service account:

     

     

  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    Feb 07, 2019

    could you test it with HTTP/companyA.inside.corp??

     

    Your pc/laptop is member of the inside.corp domain and not of the example.com domain. Kerberos Auth will only work if the FQDN of the service/website is within the inside.corp domain.

     

    Cheers,

     

    Kees

     

  • P_K's avatar
    P_K
    Icon for Altostratus rankAltostratus
    Feb 08, 2019

    The issue was with the encryption type the service account is supporting on the AD server. There was an encryption mismatch between what the service account is negotiating and what the keytab file(arcfour-hmac) is generated with. Fixing it resolved the issue of login pop up.

     

Related Content