Forum Discussion
cd_312641
Nimbostratus
NimbostratusKerberos SSO for APM - Exchange 2016
Hello, i'm trying to configure Kerberos SSO for Outlook anywhere(Exchange 2016) but I keep getting these errors.
debug websso.3[4647]: 014d0021:7: /Common/NTLM-EX2016:Common:8d962818: ctx:0x8e61f4...
Your User Logon name doesn't seem to be right. You have:
host/delegationhost/delegation.domain1.frhost/delgation.domain1.fr@subdomain.domain2.FRAlso make sure you you set the SPN:
setspn -A host/delgation.domain1.fr delegation
In the APM SSO Configuration the fields 'KDC' and 'SPN Pattern' can be left empty.
DNS is also very important. You need to have both an A and PTR record for mail1.domain1.fr. Make sure you can resolve them from the F5 BIG-IP.
Also see this cookbook. Just follow the steps:
https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos
To test your constrained delegation account on the F5 BIG-IP and see if you can get a ticket for a user.
[root@strongbox:Active:Standalone] / kinit -f 'host/delgation.domain1.fr@subdomain.domain2.FR'
Password for host/delgation.domain1.fr@subdomain.domain2.FR:
[root@strongbox:Active:Standalone] / kvno -C -U user@subdomain.domain2.FR host/delgation.domain1.fr@subdomain.domain2.FR
host/delgation.domain1.fr@subdomain.domain2.FR: kvno = 2
[root@strongbox:Active:Standalone] / klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/delgation.domain1.fr@subdomain.domain2.FR
Valid starting Expires Service principal
12/09/18 17:05:06 12/10/18 03:05:10 krbtgt/subdomain.domain2.FR@subdomain.domain2.FR
renew until 12/16/18 17:05:06
12/09/18 17:05:15 12/10/18 03:05:10 host/delgation.domain1.fr@subdomain.domain2.FR
for client user\@subdomain.domain2.FR@subdomain.domain2.FR, renew until 12/16/18 17:05:06
[root@strongbox:Active:Standalone] /