Forum Discussion
Kerberos SSO : Server not found in Kerberos database (-1765328377)
Hi,
I am trying to configure Kerberos SSO between F5/APM ans IIS. I am getting this error message :
Feb 8 18:17:00 bigip12 info websso.3[2776]: 014d0011:6: /Common/Kerb:Common:7828fdf8: Websso Kerberos authentication for user 'testaccount' using config '/Common/SSO-kerberos'
Feb 8 18:17:00 bigip12 debug websso.3[2776]: 014d0046:7: /Common/Kerb:Common:7828fdf8: adding item to WorkQueue
Feb 8 18:17:00 bigip12 debug websso.3[2776]: 014d0018:7: /Common/Kerb:Common:7828fdf8: ctx:0x8ef0f38 server address = ::ffff:XXX.XXX.XXX.XXX (IP Adresse masqued)
Feb 8 18:17:00 bigip12 debug websso.3[2776]: 014d0021:7: /Common/Kerb:Common:7828fdf8: ctx:0x8ef0f38 SPN = HTTP/iis.ad.test.fr@AD.TEST.FR
Feb 8 18:17:00 bigip12 debug websso.3[2776]: 014d0023:7: S4U ======> /Common/Kerb:Common:7828fdf8: ctx: 0x8ef0f38, user: testaccount@AD.TEST.FR, SPN: HTTP/iis.ad.test.fr@AD.TEST.FR
Feb 8 18:17:00 bigip12 err websso.3[2776]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user testaccount@AD.TEST.FR - Server not found in Kerberos database (-1765328377)
Feb 8 18:17:00 bigip12 err websso.3[2776]: 014d0024:3: /Common/Kerb:Common:7828fdf8: Kerberos: Failed to get ticket for user testaccount@AD.TEST.FR
Feb 8 18:17:00 bigip12 err websso.3[2776]: 014d0048:3: /Common/Kerb:Common:7828fdf8: failure occurred when processing the work item
I tried to follow Kevin Stewart and Cody Green advises but it is still not working (if you read my guys, please do not hesitate to answer :o)).
I tried to use this command : kinit -f And it is working.
But this one is not: knvo -C -U KNVO is not reconized.
Help is welcome,
Thanks
MD
Hi MD,
the KDC error
refers to-1765328377
and means that the domain controller was unable to find an matching service account for this Service Principal Name (SPN).KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
Please check if the Service Principal Name
is registered in Activce Directory and that this name is either linked to the service account of your IIS web application (in thew case that IIS Kernel mode caching is disabled) or to the computer account hosting the IIS service (if Kernel mode caching is enabled or if the website is running under a system identity like network service, local system, etc.)HTTP/iis.ad.test.fr
C:\Windows\system32>setspn -Q HTTP/iis.ad.test.fr
The next step would be to check if LTM's service account is already allowed to perform a Kerberos Protocol Transition and Contrained Delegation to this SPN. But lets see if the addition of the SPN already resolves your problem...
Cheers, Kai
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com