For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

eehir's avatar
eehir
Icon for Nimbostratus rankNimbostratus
May 21, 2014

Kerberos delegation and short names problem

Hi,

I have a problem with kerberos delegation and short dns names (netbios names?). A client wants to set up AD auth and kerberos SSO to their sharepoint applications. The applications use short names like http://service1 and the SPNs are defined for short names as well.

The problem seems to be how BIG-IP resolves the short name. Either it can't resolve it, or it resolves it to the long name (service1.my1.domain.local), depending on how the dns settings have been configured on the BIG-IP system. This causes the kerberos sso to break down as it is trying to get the ticket for HTTP/service1.my1.domain.local@MY1.DOMAIN.LOCAL instead of HTTP/service1@MY1.DOMAIN.LOCAL . The kerberos sso and delegation were set-up following the APM cookbook article and seems to be working fine, apart from the name resolving.

The easiest way would probably be to tell the client that they need to set the SPNs for the long names as well, but I was wondering if there was any way to force BIG-IP use the short name when asking for the kerberos ticket.

Taken from /var/log/apm:

May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: constructor
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: webssoContext constructor ...
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: 14 headers received
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: http header *[:method][GET] (len=3)
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: http header *[:uri][/] (len=1)
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: http header *[:version][HTTP/1.1] (len=8)
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: http header *[:custommeta][tQ] (len=389)
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: http header *[Host][lhp] (len=3)
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: http header *[session-key][*******] (len=32)
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: http header  [Referer][https://137.163.137.111/vdesk/webtop.eui?webtop=/Intranet/test_webtop&webtop_type=webtop_full] (len=97)
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: http header  [Accept][text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8] (len=74)
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: http header  [username][user1] (len=8)
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: http header  [Accept-Language][en-US,en;q=0.8,fi;q=0.6,sv;q=0.4] (len=32)
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: http header  [User-Agent][Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36] (len=120)
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: http header  [Connection][keep-alive] (len=10)
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: http header  [DNT][1] (len=1)
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0044:7: 3c4f9527: metadata len 389
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: init webssoConfig from data: 0x854876c, len: 389
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: different sso config object received, name: /Intranet/test_Kerberos_SSO, method: 5
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: ssoMethod: kerberos usernameSource: session.sso.token.last.username userRealmSource: session.logon.last.actualdomain Realm: MY1.DOMAIN.LOCAL KDC: MY1.DOMAIN.LOCAL AccountName: svc-f5Kerberos spnPatterh: HTTP/%s@MY1.DOMAIN.LOCAL TicketLifetime: 600 UseClientcert: 0 SendAuthorization: 0
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: ctx: 0x8509f18, CLIENT: TMEVT_REQUEST
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: ctx: 0x8509f18, CLIENT: TMEVT_REQUEST_DONE
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: ctx: 0x8509f18, CLIENT: TMEVT_SESSION_RESULT
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: ctx: 0x8509f18, CLIENT: TMEVT_SESSION_RESULT
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: ctx: 0x8509f18, CLIENT: TMEVT_SESSION_RESULT
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0041:7: 3c4f9527: Could not find SSO domain, check variable assign agent setting
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: ctx: 0x85491e8, SERVER: TMEVT_REQUEST
May 20 14:04:03 hels000666 info websso.1[14949]: 014d0011:6: 3c4f9527: Websso Kerberos authentication for user 'user1' using config '/Intranet/test_Kerberos_SSO'
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0046:7: 3c4f9527: adding item to WorkQueue
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0018:7: sid:3c4f9527 ctx:0x8509f18 server address = ::ffff:10.231.140.20
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0021:7: sid:3c4f9527 ctx:0x8509f18 SPN = HTTP/service1.my1.domain.local@MY1.DOMAIN.LOCAL
May 20 14:04:03 hels000666 info websso.1[14949]: 014d0022:6: 3c4f9527: Kerberos: realm for user user1 is not set, using server's realm MY1.DOMAIN.LOCAL
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0023:7: S4U ======> ctx: 3c4f9527, sid: 0x8509f18, user: user1@MY1.DOMAIN.LOCAL, SPN: HTTP/service1.my1.domain.local@MY1.DOMAIN.LOCAL
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: Getting UCC:user1@MY1.DOMAIN.LOCAL@MY1.DOMAIN.LOCAL, lifetime:36000
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: Found UCC:user1@MY1.DOMAIN.LOCAL@MY1.DOMAIN.LOCAL, lifetime:36000 left:33201
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: UCCmap.size = 1, UCClist.size = 1
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: user1@MY1.DOMAIN.LOCAL server: HTTP/service1.my1.domain.local@MY1.DOMAIN.LOCAL - trying to fetch
May 20 14:04:03 hels000666 debug websso.1[14949]: 014d0001:7: S4U ======> trying to fetch S4U2Proxy ticket for user: user1@MY1.DOMAIN.LOCAL server: HTTP/service1.my1.domain.local@MY1.DOMAIN.LOCAL
May 20 14:04:03 hels000666 err websso.1[14949]: 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/service1.my1.domain.local@MY1.DOMAIN.LOCAL - Requesting ticket can't get forwardable tickets (-1765328163)
May 20 14:04:03 hels000666 err websso.1[14949]: 014d0024:3: 3c4f9527: Kerberos: Failed to get ticket for user user1@MY1.DOMAIN.LOCAL
May 20 14:04:03 hels000666 err websso.1[14949]: 014d0048:3: 3c4f9527: failure occurred when processing the work item

-Eero

BIG-IP Access Policy Manager (APM)
deployment
design
microsoft
security

1 Reply

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 21, 2014

    It is somewhat unfortunate that AD SPNs would be created that way, but not the first time I've seen that. The most robust solution would definitely be to change the SPNs in the directory. It works now, but sooner or later they'll discover other issues. The second option might be to change the DNS entry. APM Kerberos SSO performs a reverse DNS lookup against the load balanced IP address to get the name of the host, then adds "http/" to the front and "@DOMAIN.COM" to the end to create the SPN string it'll use to make a Kerberos request. If the reverse DNS lookup for any given host IP address is the fully qualified domain name, then that's what the SPN will look like. Third option might be to spoof the names locally. For every pool member, create a local Hosts entry on the BIG-IP that reflects the short name. Then in the Kerberos SSO profile, under the SPN Pattern section, enter a wildcard SPN pattern:

    http/%s@DOMAIN.COM

    The SSO will use this value instead of performing the DNS query.

Related Content