Forum Discussion
Kerberos Authentication with different UPN than Kerberos Realm
Using the Exchange 2013 iApp to allow the big ip (v12.0) load balance a pool of Client Access Servers with APM providing authentication, users are receiving Matching Credentials Cannot be Found after successful certificate validation using a Smart Card. Authentication steps include client certificate validation using a smart card and then Kerberos authentication to the domain. Any thoughts?
Kerberos: cant get S4U2Self ticket for user 123456@nnn - Matching credentials not found (-1765328243) Kerberos Realm = Test.Lab Domain Controller = dc.test.lab Kerberos Delegation = host/user@test.lab UPN of user account= @nnn
- Kevin_StewartEmployee
APM Kerberos SSO doesn't currently support Kerberos "canonical enterprise referrals", that is it can't chase a referral sent by the KDC for another realm. I'm assuming your "@nnn" is an alternate UPN suffix in the same domain, but this still requires canonical referrals. What you need to do to make this work is to specify the user's real name and real domain. And since the user's real userPrincipalName contains the alias realm, you have to send the sAMAccountName value instead. Your access policy might then look something like this:
start -> on demand cert auth -> ocsp auth -> LDAP query -> variable assign -> allow
where the LDAP query looks up the user's sAMAccountName value based on the userPrincipalName. The variable assign puts the returned username value into the right username session variable for the SSO profile. Example:
session.sso.token.last.username = return [mcget {session.ldap.last.attr.sAMAccountName}]
Or you can alternatively skip the variable assign and make session.ldap.last.attr.sAMAccountName the input username source variable within the SSO profile.
- Kevin_StewartEmployee
Add an iRule event agent to the visual policy right after the OCSP auth. Give it an ID of "CERTPROC". Add an iRule to fetch the certificate SAN UPN:
when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { "CERTPROC" { if { [ACCESS::session data get session.ssl.cert.x509extension] contains "othername:UPN<" } { ACCESS::session data set session.logon.last.username [findstr [ACCESS::session data get session.ssl.cert.x509extension] "othername:UPN<" 14 ">"] } } } }
Add an LDAP Query agent after the iRule event and use the following LDAP filter:
userPrincipalName = %{session.logon.last.username}
If the LDAP query succeeds, you should have a session.ldap.last.attr.sAMAccountName session variable with the user's SAM name.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com