Forum Discussion

TMHE_CISSEC's avatar
TMHE_CISSEC
Icon for Nimbostratus rankNimbostratus
Jan 23, 2023

Kerberos: can't get S4U2Self ticket for user abc@xyz.com - TGT has been revoked (-176532836)

We have SSO Mapping with Cross Relam authentication configured and for few of the user SSO Mapping is working for the few users which are part of Local domain : xyz.com and delgation account and Application domain is 123.com.

Users from 123.com are not facing any issues. When we have checked session logs of the user it was identifed that for users who are facing the problem error is : Kerberos: can't get S4U2Self ticket for user abc@xyz.com - TGT has been revoked (-176532836).

We are not able understand wether it is the user TGT ticket or delegation account http/bigip.123.com ticket. 

Please suggest your opion for this.  

We have also taken tcp dum and in tcp dump and as per TCP every time UDP packet is fragmented we are getting TGT revoked error

  • To me, that looks like it would be related to delegation, but I can't say for sure. I know this is a pain, but have you tried running a duplicate vip and policy, but for xyz.com direct? I do understand that defeats the purpose, but it would rule this out..

  • i have a similar issue since 2-3 weeks. right now we investigate but cant find the real root cause, as this problem is difficult to reproduce, and looks to popup "randomly".

    I personnaly got hte problem this morning :

    Feb 6 08:03:17 ch-lb03.mgmt.sara notice tmm2[27093]: 01490552:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: User TOTO@MYACTIVEDIRECTORY.DOMAIN from Computer is authenticated
    Feb 6 08:03:17 ch-lb03.mgmt.sara notice tmm2[27093]: 01490506:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: Received User-Agent header: Microsoft%20Office%2F15.0%20(Windows%20NT%2010.0%3B%20Microsoft%20Outlook%2015.0.5493%3B%20Pro).
    Feb 6 08:03:17 ch-lb03.mgmt.sara notice tmm2[27093]: 01490500:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: New session from client IP 192.168.32.238 (ST=/CC=/C=) at VIP 10.1.16.1 Listener /Common/CH_Exchange2013.app/CH_Exchange2013_combined_https (Reputation=Unknown)
    Feb 6 08:03:17 ch-lb03.mgmt.sara notice apmd[21687]: 01490005:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: Following rule 'fallback' from item 'SSO Credential Mapping(1)' to ending 'Allow'
    Feb 6 08:03:17 ch-lb03.mgmt.sara notice apmd[21687]: 01490102:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: Access policy result: LTM+APM_Mode
    Feb 6 08:03:17 ch-lb03.mgmt.sara notice apmd[21687]: 01490248:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: Received client info - Hostname: Type: unknown Version: 0 Platform: unknown CPU: unknown UI Mode: Full Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0
    Feb 6 08:03:19 ch-lb03.mgmt.sara err websso.0[28699]: 014d0056:3: /Common/CH_Exchange2013.app/exch:Common:1c6ac698:Kerberos: can't get S4U2Self ticket for user TOTO@MYACTIVEDIRECTORY.DOMAIN.PARENTDOMAIN - TGT has been revoked (-1765328364)
    Feb 6 08:03:19 ch-lb03.mgmt.sara err websso.0[28699]: 014d0048:3: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: failure occurred when processing the work item: Kerberos failed
    Feb 6 08:06:41 ch-lb03.mgmt.sara notice tmm2[27093]: 01490502:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: Session deleted due to user inactivity.
    Feb 6 08:07:22 ch-lb03.mgmt.sara notice tmm2[27093]: 01490521:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: Session statistics - bytes in: 51548, bytes out: 62098

    I simply restart my machine, then it has work.

    On our side, we didnt do change on BigIp, either on Office/Exchange. but we suspect a new release of Webex.

     

     

    • AubreyKingF5's avatar
      AubreyKingF5
      Icon for Moderator rankModerator

      Same advice.. I'd make a separate, identical, VIP / policy for the second domain and test.