Forum Discussion
Kerberos SSO for APM - Exchange 2016
Hello, i'm trying to configure Kerberos SSO for Outlook anywhere(Exchange 2016) but I keep getting these errors.
debug websso.3[4647]: 014d0021:7: /Common/NTLM-EX2016:Common:8d962818: ctx:0x8e61f40 SPN = HTTP/[email protected]
info websso.3[4647]: 014d0022:6: /Common/NTLM-EX2016:Common:8d962818: Kerberos: realm for user USERX is not set, using server's realm subdomain.domaine2.FR
debug websso.3[4647]: 014d0023:7: S4U ======> /Common/NTLM-EX2016:Common:8d962818: ctx: 0x8e61f40, user: [email protected], SPN: HTTP/[email protected]
err websso.3[4647]: 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/[email protected] - Requesting ticket can't get forwardable tickets (-1765328163)
Delegation account: host/d5delegation @subdomain.domain2.fr
Kerberos SSO Auth:
SPN is HTTP/mail.domain1.fr (the public hostname where clients came)
And Also on Delegation > I choose trust this user for delegation to specified services only > USe any authentification protocol > and i choose the SPN
AD servers are on pre-production, on subdomain.domain2.fr.
This command (nslookup -type=SRV _kerberos._tcp.dc._msdcs.subdomain.domain2.fr) doesnt found KDC because the f5 dns is only resolving on domain1.fr. BUT since F5 is resolving the domain controllers of the preprod zone (the dc server I specified in kerberos sso auth), is it ok ?
This doesnt work too:
kinit -f HTTP/[email protected] kinit: Cannot resolve servers for KDC in realm .......
Thanks for help
1 Reply
Your User Logon name doesn't seem to be right. You have:
. It should be:host/delegation
. So, the SPN will becomehost/delegation.domain1.fr
.host/[email protected]Also make sure you you set the SPN:
setspn -A host/delgation.domain1.fr delegationIn the APM SSO Configuration the fields 'KDC' and 'SPN Pattern' can be left empty.
DNS is also very important. You need to have both an A and PTR record for mail1.domain1.fr. Make sure you can resolve them from the F5 BIG-IP.
Also see this cookbook. Just follow the steps:
https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos
To test your constrained delegation account on the F5 BIG-IP and see if you can get a ticket for a user.
[root@strongbox:Active:Standalone] / kinit -f 'host/[email protected]' Password for host/[email protected]: [root@strongbox:Active:Standalone] / kvno -C -U [email protected] host/[email protected] host/[email protected]: kvno = 2 [root@strongbox:Active:Standalone] / klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/[email protected] Valid starting Expires Service principal 12/09/18 17:05:06 12/10/18 03:05:10 krbtgt/[email protected] renew until 12/16/18 17:05:06 12/09/18 17:05:15 12/10/18 03:05:10 host/[email protected] for client user\@[email protected], renew until 12/16/18 17:05:06 [root@strongbox:Active:Standalone] /
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com