Forum Discussion

cd_312641's avatar
cd_312641
Icon for Nimbostratus rankNimbostratus
May 01, 2019

Kerberos SSO for APM - Exchange 2016

Hello, i'm trying to configure Kerberos SSO for Outlook anywhere(Exchange 2016) but I keep getting these errors.

debug websso.3[4647]: 014d0021:7: /Common/NTLM-EX2016:Common:8d962818: ctx:0x8e61f40 SPN = HTTP/mail.domain1.fr@subdomain.domaine2.FR

info websso.3[4647]: 014d0022:6: /Common/NTLM-EX2016:Common:8d962818: Kerberos: realm for user USERX is not set, using server's realm subdomain.domaine2.FR

debug websso.3[4647]: 014d0023:7: S4U ======> /Common/NTLM-EX2016:Common:8d962818: ctx: 0x8e61f40, user: USERX@subdomain.domaine2.FR, SPN: HTTP/mail.domain1.fr@subdomain.domain2.FR

err websso.3[4647]: 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/mail.domain1.fr@subdomain.domain2.FR - Requesting ticket can't get forwardable tickets (-1765328163)

Delegation account: host/d5delegation @subdomain.domain2.fr

Kerberos SSO Auth:

SPN is HTTP/mail.domain1.fr (the public hostname where clients came)

And Also on Delegation > I choose trust this user for delegation to specified services only > USe any authentification protocol > and i choose the SPN

AD servers are on pre-production, on subdomain.domain2.fr.

This command (nslookup -type=SRV _kerberos._tcp.dc._msdcs.subdomain.domain2.fr) doesnt found KDC because the f5 dns is only resolving on domain1.fr. BUT since F5 is resolving the domain controllers of the preprod zone (the dc server I specified in kerberos sso auth), is it ok ?

This doesnt work too:

kinit -f HTTP/mail.domain1.fr@subdomain.domain2.FR kinit: Cannot resolve servers for KDC in realm .......

Thanks for help

  • Your User Logon name doesn't seem to be right. You have:

    host/delegation
    . It should be:
    host/delegation.domain1.fr
    . So, the SPN will become
    host/delgation.domain1.fr@subdomain.domain2.FR
    .

    Also make sure you you set the SPN:

     setspn -A host/delgation.domain1.fr delegation
    

    In the APM SSO Configuration the fields 'KDC' and 'SPN Pattern' can be left empty.

    DNS is also very important. You need to have both an A and PTR record for mail1.domain1.fr. Make sure you can resolve them from the F5 BIG-IP.

    Also see this cookbook. Just follow the steps:

    https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos

    To test your constrained delegation account on the F5 BIG-IP and see if you can get a ticket for a user.

    [root@strongbox:Active:Standalone] /  kinit -f 'host/delgation.domain1.fr@subdomain.domain2.FR'
    Password for host/delgation.domain1.fr@subdomain.domain2.FR: 
    [root@strongbox:Active:Standalone] /  kvno -C -U user@subdomain.domain2.FR host/delgation.domain1.fr@subdomain.domain2.FR
    host/delgation.domain1.fr@subdomain.domain2.FR: kvno = 2
    [root@strongbox:Active:Standalone] /  klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: host/delgation.domain1.fr@subdomain.domain2.FR
    
    Valid starting     Expires            Service principal
    12/09/18 17:05:06  12/10/18 03:05:10  krbtgt/subdomain.domain2.FR@subdomain.domain2.FR
        renew until 12/16/18 17:05:06
    12/09/18 17:05:15  12/10/18 03:05:10  host/delgation.domain1.fr@subdomain.domain2.FR
        for client user\@subdomain.domain2.FR@subdomain.domain2.FR, renew until 12/16/18 17:05:06
    [root@strongbox:Active:Standalone] /