Forum Discussion
TMHE_CISSEC
Nimbostratus
NimbostratusKerberos: can't get S4U2Self ticket for user abc@xyz.com - TGT has been revoked (-176532836)
We have SSO Mapping with Cross Relam authentication configured and for few of the user SSO Mapping is working for the few users which are part of Local domain : xyz.com and delgation account and Application domain is 123.com.
Users from 123.com are not facing any issues. When we have checked session logs of the user it was identifed that for users who are facing the problem error is : Kerberos: can't get S4U2Self ticket for user abc@xyz.com - TGT has been revoked (-176532836).
We are not able understand wether it is the user TGT ticket or delegation account http/bigip.123.com ticket.
Please suggest your opion for this.
We have also taken tcp dum and in tcp dump and as per TCP every time UDP packet is fragmented we are getting TGT revoked error
Kevin_Stewart may be able to chime in on this one.
- AubreyKingF5
Moderator
To me, that looks like it would be related to delegation, but I can't say for sure. I know this is a pain, but have you tried running a duplicate vip and policy, but for xyz.com direct? I do understand that defeats the purpose, but it would rule this out..
TMHE_CISSEC - did AubreyKingF5's post help rule out an issue, and/or are you still dealing with the same problem?
ChriSafrai have a similar issue since 2-3 weeks. right now we investigate but cant find the real root cause, as this problem is difficult to reproduce, and looks to popup "randomly".
I personnaly got hte problem this morning :
Feb 6 08:03:17 ch-lb03.mgmt.sara notice tmm2[27093]: 01490552:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: User TOTO@MYACTIVEDIRECTORY.DOMAIN from Computer is authenticated
Feb 6 08:03:17 ch-lb03.mgmt.sara notice tmm2[27093]: 01490506:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: Received User-Agent header: Microsoft%20Office%2F15.0%20(Windows%20NT%2010.0%3B%20Microsoft%20Outlook%2015.0.5493%3B%20Pro).
Feb 6 08:03:17 ch-lb03.mgmt.sara notice tmm2[27093]: 01490500:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: New session from client IP 192.168.32.238 (ST=/CC=/C=) at VIP 10.1.16.1 Listener /Common/CH_Exchange2013.app/CH_Exchange2013_combined_https (Reputation=Unknown)
Feb 6 08:03:17 ch-lb03.mgmt.sara notice apmd[21687]: 01490005:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: Following rule 'fallback' from item 'SSO Credential Mapping(1)' to ending 'Allow'
Feb 6 08:03:17 ch-lb03.mgmt.sara notice apmd[21687]: 01490102:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: Access policy result: LTM+APM_Mode
Feb 6 08:03:17 ch-lb03.mgmt.sara notice apmd[21687]: 01490248:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: Received client info - Hostname: Type: unknown Version: 0 Platform: unknown CPU: unknown UI Mode: Full Javascript Support: 0 ActiveX Support: 0 Plugin Support: 0
Feb 6 08:03:19 ch-lb03.mgmt.sara err websso.0[28699]: 014d0056:3: /Common/CH_Exchange2013.app/exch:Common:1c6ac698:Kerberos: can't get S4U2Self ticket for user TOTO@MYACTIVEDIRECTORY.DOMAIN.PARENTDOMAIN - TGT has been revoked (-1765328364)
Feb 6 08:03:19 ch-lb03.mgmt.sara err websso.0[28699]: 014d0048:3: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: failure occurred when processing the work item: Kerberos failed
Feb 6 08:06:41 ch-lb03.mgmt.sara notice tmm2[27093]: 01490502:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: Session deleted due to user inactivity.
Feb 6 08:07:22 ch-lb03.mgmt.sara notice tmm2[27093]: 01490521:5: /Common/CH_Exchange2013.app/exch:Common:1c6ac698: Session statistics - bytes in: 51548, bytes out: 62098I simply restart my machine, then it has work.
On our side, we didnt do change on BigIp, either on Office/Exchange. but we suspect a new release of Webex.
- AubreyKingF5
Same advice.. I'd make a separate, identical, VIP / policy for the second domain and test.
