Forum Discussion
NimbostratusKerberos SSO with two realms
I am working on a solution depicted in the attached file.
Clients are expected to authenticate with a Form-Based front-end provided by F5 APM and using a back-end Active Directory forest (realm1).
Then they are supposed to have a transparent logon to a Web server located in another Active Directory forest (realm2) that trusts the user account forest.
Everything works well except the SSO part which is not transparent and pops a username/password dialog in the browser.
In Wireshark traces i see a KDC_ERR_S_PRINCIPAL_UNKNOWN error.
In the packet details I see that APM sets an incorrect realm when trying to get the user's TGT as following:
and sends it to the Realm2 KDC. As the Realm2 KDC knows nothing about the Realm1 this request fails with the error above.
SSO setup details:
Username: session.logon.last.username
User Realm Source: session.logon.last.domain
Kerberos realm: Realm2 (server's realm in capital letters)
KDC: empty (as recommended in the manual for different user and server realms)
SPN Pattern: empty
VPE Policies are shown in the attached picture.
Could anyone confirm whether SSO is supported in the cross-forest trust scenarios?
The APM documentation mentions that user and server realms can be different.
Any hints will be appreciated
Thank you in advance
APM Version 11.3.0
8 Replies
- Kevin_Stewart
Employee
APM Kerberos SSO does support cross-forest trust as long as you specify the user's real realm. Are you specifying the user's domain name in the session.logon.last.domain variable? You may need to set it manually.
Also, are you seeing the server principal unknown error directly after the call for "krbtgt/Realm1@Realm2"? For cross-forest Kerberos to work both domains must be able to communicate and have a Kerberos keys in each others realms. So if you need to authenticate realm1 users to a realm2 service, the SSO agent must first get a ticket from its own domain for the KDC in the other domain (this is the krbtgt/Realm1@Realm2 ticket request). Once the SSO agent has this ticket, it uses it very much like a TGT to realm2 to request access to the service in realm2. The SSO agent must also be able to resolve both realms. - Hi, in my experience DNS has to be rock solid for Kerberos Constrained Delegation to work. I would have Kerberos working for one domain, then introduce the second. You might want to add a final SSO Credential Mapping to the policy also.
- Kevin_StewartSSO credential mapping is not necessarily required for Kerberos SSO. The credential mapping agent simply plugs the required username and password values into the right session (token) variables for things like form-based SSO. As long as you're populating the correct session variables in the access policy (as determined by the username and domain source fields in the Kerberos SSO profile), you should be good to go. For testing purposes you can also arbitrarily set the session.logon.last.username and session.logon.last.domain to known good user and domain values to bypass everything but the SSO.
But I would agree that DNS is absolutely critical. APM must be able to resolve (forward and reverse) each of the domains.
I would also not that while the APM Kerberos SSO username source defaults to session.sso.token.last.username (what the credential mapping agent would use), I typically reset it to session.logon.last.username (as East Coast has also apparently done). 
East_Coast_1151Posted By Kevin Stewart on 03/19/2013 07:56 AM
APM Kerberos SSO does support cross-forest trust as long as you specify the user's real realm. Are you specifying the user's domain name in the session.logon.last.domain variable? You may need to set it manually.
Also, are you seeing the server principal unknown error directly after the call for "krbtgt/Realm1@Realm2"? For cross-forest Kerberos to work both domains must be able to communicate and have a Kerberos keys in each others realms. So if you need to authenticate realm1 users to a realm2 service, the SSO agent must first get a ticket from its own domain for the KDC in the other domain (this is the krbtgt/Realm1@Realm2 ticket request). Once the SSO agent has this ticket, it uses it very much like a TGT to realm2 to request access to the service in realm2. The SSO agent must also be able to resolve both realms.Thank you for the prompt response.
1. Yes, the user's realm is specified as the user's domain name ( session.logon.last.domain). I checked the variable value before SSO and it contains the good value.2. Yes, I am seeing the error right after the cross-realm TGS request for . I tried to set a principal with the this exact name in Realm2 and the UNKNOWN PRINCIPAL error moved to the next step when APM tries to get a TGS for itself in the user's realm. This represents moving from the step 2 to the step 3 on the diagram below.
http://msdn.microsoft.com/en-us/library/cc246109.aspx
3. DNS records are good and all KDC and DC records are set correctly. I use Microsoft DNS in both forests and each of them has a stub zone for another forest. I see also in Wireshark traces that DNS records are all resolved properly.
4. The forest trust is established using standard Microsoft Active Directory GUI tools, so I have not played with manual settings for krbtgt keys and principals.
---
I did a lot of research today and encountered some vague mentions that the Kerberos S4U2Self feature might be not working with one-way trusts because some referrals might be missing.
Anyone can confirm that?
So I decided to try to give it a try and to make the trust bidirectionnal and ... surprise ... SSO started working properly.
However, I need to keep a one-way trust because the resource forest is located at a service provider site and our company can't trust it.
So I am still looking for a Kerberos solution with one-way trust and very interested to know if F5 APM support it.
Do you know if it is possible?
May be I can define manually some principals or spn without setting a complete two-way trust?
Thank you for your help
- Kevin_StewartEast Coast, you may already know this, but for the larger audience, your suspicions were correct. Kerberos S4U does in fact require a two-way trust between domains/forests.
http://support.microsoft.com/?kbid=954739
http://msdn.microsoft.com/en-us/magazine/cc188757.aspx
Thanks to some internal F5 folks for finding these articles. I wasn't sure either.
That said, I see a potential alternative. Given that you're authenticating the user via form logon, you have the credentials (and I assume the domain) to perform an HTTP Basic or NTLM authentication to the web server. - East_Coast_1151Hi Kevin,
Thank you for the confirmation.
Given these constraints, now we are considering two options:
- NTLM
- Two-way trust with Selective Authentication
Regardless the two-way trust, the second option can be set up secure enough to block all authentication request coming from the "untrusted" domain but to still permit cross-forest features. I tested it with success.
I'm also wondering why F5 (an other concurrent devices) use only Kerberos delegation features and can't be configured as regular Windows domain computers, i.e. to take user's username/password and request TGT/TGS directly for the user account instead of its own device account.
Is this something that goes against Kerberos specs?
AN@East Coast: HOw you achieve SPN configuration across forest? I am running into issue where my 2 domains are part of same forest but services only reside on domain1 and I want to authenticate both domain1 and domain2 users. I am doing AAA authentication key tab file from doamin1 and it's working for both domain1 and domain2 users. But I am running into issue with SSO configuration I have two SSO one for domain1 and second for domain2. Domain1 SSO works fine but domain2 is running into issue. For Kerberos Authentication on F5, do we need to use both AAA Kerberos and SSO Kerberos? I am running into the issue for kerberos SSO to work with two domains part of same forest with two way trust. I can access server URL with kerberos and works fine for both domains
We have domain1 and domain2 inherited from Domainmain and have two way transitive trusts between forests.
Our APM policy as follows: 401->(negotiate)->Kerberos Auth-> SSO Credential Mapping-> Check incoming users domain-> if "@domain1" -> "WEBSSO::select /Common/SSO-domain1" -> domain1-variable-assigned (using split) -> allow if "@domain2" -> "WEBSSO::select /Common/SSO-domain2" -> domain2-variable-assigned (using split) -> allow
Since all services resides in domain1 we have service account mapped in domain1 to SPN HTTP/URL.com@domain1. We have user account also in domain2 that we are using in Domain2 SSO configuration with setspn to HTTP/URL.com@domain2
It works fine for domain1 user (both AAA kerberos and SSO). AAA Kerberos works fine for domain2 but fails at SSO. Found following in logs:
Dec 12 15:21:47 uat-f5-ve debug websso.0[10974]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: user@domain2 server: HTTP/xyz.com@domain2 - trying to fetch Dec 12 15:21:47 uat-f5-ve debug websso.0[10974]: 014d0001:7: S4U ======> trying to fetch S4U2Proxy ticket for user: user@domain2 server: HTTP/xyz.com@domain2 Dec 12 15:21:47 uat-f5-ve debug websso.0[10974]: 014d0046:7: /frontend/Kerberos-AP:frontend:b49e4d37: adding item to WorkQueue Dec 12 15:21:47 uat-f5-ve err websso.0[10974]: 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/xyz.com@domain2 - KDC policy rejects request (-1765328372) Dec 12 15:21:47 uat-f5-ve err websso.0[10974]: 014d0024:3: /frontend/Kerberos-AP:frontend:b49e4d37: Kerberos: Failed to get ticket for user user@domain2 Dec 12 15:21:47 uat-f5-ve err websso.0[10974]: 014d0048:3: /frontend/Kerberos-AP:frontend:b49e4d37: failure occurred when processing the work item Dec 12 15:21:47 uat-f5-ve debug websso.0[10974]: 014d0001:7: ctx: 0xa0e4630, SERVER: TMEVT_NOTIFY Dec 12 15:21:47 uat-f5-ve debug websso.0[10974]: 014d0001:7: ctx: 0xa0e4630, SERVER: TMEVT_RESPONSE
- Kevin_StewartGood call on the selective two-way trust.
As to your question, I can't speak authoritatively, but I'd make the following points:
1. This isn't a Kerberos spec issue, other than the requirement for two-way trusts when doing S4U.
2. F5's Access Policy Manager module functions as an authentication PROXY, by design. By this I'm specifically talking about a full proxy, where client side and server side authentication processes are essentially separate things (like TCP and SSL sessions). You actually do import a keytab file for client side authentication, but that again is separate from server side authentication.
3. Most importantly I think, APM operates at the application layer (mostly HTTP), so you're not really dealing with user principal names (user authentication) but rather service principal names (service requests).
