Forum Discussion

jban_198207's avatar
jban_198207
Icon for Cirrus rankCirrus
Oct 26, 2017
Solved

Kerberos SSO resource and account not in the same domain

Hi,

 

We create F5 Service Account in Domain1 as -Host/ -Users are in: domain1.local Web resource is in domain2.local with SPN let say: HTTP/webresource.domain2.local

 

When I test with kinit and kvno for F5 and User account everything is working fine.

 

But when I specify in APM SPN like: HTTP/webresource.domain2.local OR HTTP/webresource.domain2.local@DOMAIN2.LOCAL I have errors like: -Matching credential not found (-1765328243)

 

On resource in Domain2 we give rights for host/ with Set-ADUser IIS_Service_User … -Pricinals…. By document: https://blog.kloud.com.au/2013/07/11/kerberos-constrained-delegation/

 

Does anyone have setup like this on F5 and can share config?

 

application delivery
BIG-IP Access Policy Manager (APM)
  • jban_198207's avatar
    jban_198207
    Nov 04, 2017

    Changed -> Dns_lookup_kdc = true Analaysing packet capture answer was found.

     

    USERDOMAIN.INTERNAL was child domain of INTERNAL and INTERNAL KCD was not allowed on firewall. after allowing INTERNAL KCD, stuff started to work.

     

  • jban_198207's avatar
    jban_198207
    Icon for Cirrus rankCirrus
    Oct 27, 2017

    I put resource and delegetion account in same Domain. User is in antoher domain and know I am getting: Realm not local to KDC (-1765328316)

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Oct 27, 2017

    Hi jban,

     

    When using the classic Kerberos Constrained Delegation mode (>=Win2003) you have to create the service account which performs the Kerberos Constrained Delegation in the same AD domain as the service account of the ressource service. But the user could be stored in any trusted domain.

     

    When using the Resource-based Kerberos Constrained Delegation mode (>=Win2012) the service account which performs the Kerberos Constrained Delegation, the service account of the ressource service and the user account can be all stored in different domains.

     

    https://blog.kloud.com.au/2013/07/11/kerberos-constrained-delegation/

     

    Cheers, Kai

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Oct 27, 2017

    Hi,

     

    can you share the kerberos SSO configuration?

     

    did you edit /etc/krb5.conf file?

     

  • jban_198207's avatar
    jban_198207
    Icon for Cirrus rankCirrus
    Nov 04, 2017

    Changed -> Dns_lookup_kdc = true Analaysing packet capture answer was found.

     

    USERDOMAIN.INTERNAL was child domain of INTERNAL and INTERNAL KCD was not allowed on firewall. after allowing INTERNAL KCD, stuff started to work.

     

  • Danny_337294's avatar
    Danny_337294
    Icon for Nimbostratus rankNimbostratus
    Jan 26, 2018

    Hi Jban,

     

    What exactly started working? Classic KCD or Resource Based KCD?