Forum Discussion
Kerberos SSO for APM - Exchange 2016
Hello, i'm trying to configure Kerberos SSO for Outlook anywhere(Exchange 2016) but I keep getting these errors.
debug websso.3[4647]: 014d0021:7: /Common/NTLM-EX2016:Common:8d962818: ctx:0x8e61f40 SPN = HTTP/mail.domain1.fr@subdomain.domaine2.FR
info websso.3[4647]: 014d0022:6: /Common/NTLM-EX2016:Common:8d962818: Kerberos: realm for user USERX is not set, using server's realm subdomain.domaine2.FR
debug websso.3[4647]: 014d0023:7: S4U ======> /Common/NTLM-EX2016:Common:8d962818: ctx: 0x8e61f40, user: USERX@subdomain.domaine2.FR, SPN: HTTP/mail.domain1.fr@subdomain.domain2.FR
err websso.3[4647]: 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/mail.domain1.fr@subdomain.domain2.FR - Requesting ticket can't get forwardable tickets (-1765328163)
Delegation account: host/d5delegation @subdomain.domain2.fr
Kerberos SSO Auth:
SPN is HTTP/mail.domain1.fr (the public hostname where clients came)
And Also on Delegation > I choose trust this user for delegation to specified services only > USe any authentification protocol > and i choose the SPN
AD servers are on pre-production, on subdomain.domain2.fr.
This command (nslookup -type=SRV _kerberos._tcp.dc._msdcs.subdomain.domain2.fr) doesnt found KDC because the f5 dns is only resolving on domain1.fr. BUT since F5 is resolving the domain controllers of the preprod zone (the dc server I specified in kerberos sso auth), is it ok ?
This doesnt work too:
kinit -f HTTP/mail.domain1.fr@subdomain.domain2.FR kinit: Cannot resolve servers for KDC in realm .......
Thanks for help
Your User Logon name doesn't seem to be right. You have:
. It should be:host/delegation
. So, the SPN will becomehost/delegation.domain1.fr
.host/delgation.domain1.fr@subdomain.domain2.FR
Also make sure you you set the SPN:
setspn -A host/delgation.domain1.fr delegation
In the APM SSO Configuration the fields 'KDC' and 'SPN Pattern' can be left empty.
DNS is also very important. You need to have both an A and PTR record for mail1.domain1.fr. Make sure you can resolve them from the F5 BIG-IP.
Also see this cookbook. Just follow the steps:
https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos
To test your constrained delegation account on the F5 BIG-IP and see if you can get a ticket for a user.
[root@strongbox:Active:Standalone] / kinit -f 'host/delgation.domain1.fr@subdomain.domain2.FR' Password for host/delgation.domain1.fr@subdomain.domain2.FR: [root@strongbox:Active:Standalone] / kvno -C -U user@subdomain.domain2.FR host/delgation.domain1.fr@subdomain.domain2.FR host/delgation.domain1.fr@subdomain.domain2.FR: kvno = 2 [root@strongbox:Active:Standalone] / klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/delgation.domain1.fr@subdomain.domain2.FR Valid starting Expires Service principal 12/09/18 17:05:06 12/10/18 03:05:10 krbtgt/subdomain.domain2.FR@subdomain.domain2.FR renew until 12/16/18 17:05:06 12/09/18 17:05:15 12/10/18 03:05:10 host/delgation.domain1.fr@subdomain.domain2.FR for client user\@subdomain.domain2.FR@subdomain.domain2.FR, renew until 12/16/18 17:05:06 [root@strongbox:Active:Standalone] /
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com