Forum Discussion

robert_juric_35's avatar
robert_juric_35
Icon for Altostratus rankAltostratus
Apr 23, 2018

Kerberos SSO Clients Not Getting Ticket

I'm setting up a new Kerberos SSO site. I've copied the config from a working SSO site we already have setup. In the VPE we have the 401 with negotiate and then the Kerberos authentication. Everythin...
BIG-IP
BIG-IP Access Policy Manager (APM)
security
  • robert_juric_35's avatar
    robert_juric_35
    Apr 25, 2018

    The other answer showed me the problem. In our testing, we were going directly to the virtual server IP instead of the FQDN. Since the IP didn't match what was in the UPN it was failing kerberos. As soon as we entered the FQDN as the URL everything worked fine.

     

youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
Apr 25, 2018

Hello Robert,

 

I understand your issue, to sum up, you have on service as IDP that authenticate user (kerberos). you have copied the VPE and attached this new vpe to a new services.

 

it's quite normal that it does not work, because of kerberos. let me explain.

 

Actual service idp1.mydomain.com

 

Copied service idp2.mydomain.com

 

In the VPE of service idp2 you have to create a new Keytab with the following spn HTTP/idp2.mydomain.com.

 

You have to now that kerberos use dns record in its auth process. when you try to reach/auth in idp2, you system will follow this steps:

 

  • a record of idp2.mydomain.com --> ex: 1.1.1.2
  • ptr of 1.1.1.2 --> idp2.mydomain.com
  • check if spn HTTP/idp2.mydomain.com

The problem is that spn idp2 don't exist and the keytab attached to idp2 vpe is not valid because it's spn used by idp1...

 

Let me now if it's clear for you and if you need additional help.

 

Regards