Forum Discussion
scorpa_121336
Nimbostratus
NimbostratusKerberos SSO across External trust
Hello, folks !
We have two domains: contoso.com and example.com they are in two-way external trust.
Our web-site in contoso.com and we are trying to provide kerberos SSO for users in example.co...
scorpa_121336Nimbostratus
NimbostratusHello again !
We fixed our configuration and now it's looks like this:
Username: session.logon.last.username
User Realm Source: session.logon.last.domain
Kerberos realm: CONTOSO.LOCAL
KDC: empty
Account Name: host/admin.contoso.local@CONTOSO.LOCAL
SPN Pattern: empty
Clients from contoso.local domain successfully obtains tickets and evertyhing work fine. But for Example.local it's stuck at TGS req. In our /var/log/apm we have this:
Oct 10 13:48:55 BigIp info websso.1[9143]: 014d0011:6: 29061622: Websso Kerberos authentication for user 'test_user' using config '/Common/Kerberos_SSO_CONTOSO.local'
Oct 10 13:48:55 BigIp debug websso.1[9143]: 014d0046:7: 29061622: adding item to WorkQueue
Oct 10 13:48:55 BigIp debug websso.1[9143]: 014d0018:7: sid:29061622 ctx:0x5a709e08 server address = ::ffff:10.1.1.1
Oct 10 13:48:55 BigIp debug websso.1[9143]: 014d0021:7: sid:29061622 ctx:0x5a709e08 SPN = HTTP/s-web-01.CONTOSO.local@CONTOSO.LOCAL
Oct 10 13:48:55 BigIp debug websso.1[9143]: 014d0023:7: S4U ======> ctx: 29061622, sid: 0x5a709e08, user: test_user@EXAMPLE.LOCAL, SPN: HTTP/s-web-01.CONTOSO.local@CONTOSO.LOCAL
Oct 10 13:48:55 BigIp debug websso.1[9143]: 014d0001:7: Getting UCC:test_user@EXAMPLE.LOCAL@CONTOSO.LOCAL, lifetime:36000
Oct 10 13:48:55 BigIp debug websso.1[9143]: 014d0001:7: TGT expires:1412970127 CC count:1
Oct 10 13:48:55 BigIp debug websso.1[9143]: 014d0001:7: Initialized UCC:test_user@EXAMPLE.LOCAL@CONTOSO.LOCAL, lifetime:36000 kcc:0x5a7095f8
Oct 10 13:48:55 BigIp debug websso.1[9143]: 014d0001:7: UCCmap.size = 2, UCClist.size = 2
Oct 10 13:48:55 BigIp debug websso.1[9143]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: test_user@EXAMPLE.LOCAL server: HTTP/s-web-01.CONTOSO.local@CONTOSO.LOCAL - trying to fetch
Oct 10 13:48:55 BigIp debug websso.1[9143]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for user: test_user@EXAMPLE.LOCAL - trying to fetch
Oct 10 13:48:55 BigIp err websso.1[9143]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user test_user@EXAMPLE.LOCAL - Server not found in Kerberos database (-1765328377)
Oct 10 13:48:55 BigIp err websso.1[9143]: 014d0024:3: 29061622: Kerberos: Failed to get ticket for user test_user@EXAMPLE.LOCAL
Oct 10 13:48:55 BigIp err websso.1[9143]: 014d0048:3: 29061622: failure occurred when processing the work item
CodeIn WireShark we have TGS-REQ such as: KDCOptions - Forwardable, Canonicalize Realm - EXAMPLE.LOCAL Server Name (Principal) : host/admin.contoso.local And for it we this reply: error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Can you help us where we need to investigate next ?
