Forum Discussion

Nimbostratus

Oct 01, 2014

Kerberos SSO across External trust

Hello, folks ! We have two domains: contoso.com and example.com they are in two-way external trust. Our web-site in contoso.com and we are trying to provide kerberos SSO for users in example.co...

application delivery

BIG-IP Access Policy Manager (APM)

Employee

Oct 15, 2014

Going to go out on a limb here, but I believe that Kerberos Protocol Transition (KPT) DOES NOT work across non-transitive (external) trusts. It does, however, work across transitive (forest) trusts. I've tested this locally and have gotten the same exact error message. It's not an APM thing specifically, but rather a protocol limitation. Funny thing is I've actually seen this in writing somewhere, but now can't find anything to officially substantiate that claim. For what it's worth you can actually test this outside of an access policy:

kinit -f [SPN of delegation service account]
** prompts for password to that account
kvno -C -U [user@OTHER_REALM] [SPN of delegation service account]

Example:

kinit -f host/krbsrv.bravo.com
Password for host/krbsrv.bravo.com@BRAVO.COM:

This generates the AS_REQ message. No response means it worked and you've cached a new TGT.

kvno -C -U al.user@alpha.com host/krbsrv.bravo.com

The -C and -U stand for constrained delegation and protocol transition. The user is specified by its UPN and you're pointing at the delegation account. If it works you'll get something like this.

host/krbsrv.bravo.com@BRAVO.COM: kvno = 2

If it doesn't work, as in with your external non-transitive trust configuration, you'll get a "Server not found in Kerberos database" error message and "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" in the Windows event viewer.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)