Forum Discussion
Kerberos ticket not working
Kerberos ticket is not processed fully. My web application does not show in browser. It is just waiting. The APM Debug logs looks like this. Any suggestion or recommendation. I don't see any error.
01 16:20:57
/Common/demo.abc.com_access_process:Common:6a686a68: adding item to WorkQueue
2021-04-01 16:20:57
/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 server address = ::ffff:10.19.89.79
2021-04-01 16:20:57
/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 SPN = HTTP/demo.sap.abc.com@US.ABC.COM
2021-04-01 16:20:57
S4U ======> /Common/demo.abc.com_access_process:Common:6a686a68: ctx: 0x9619110, user: usertest1@US.ABC.COM, SPN: HTTP/demo.sap.abc.com@US.ABC.COM
2021-04-01 16:27:09
/Common/demo.abc.com_access_process:Common:6a686a68: metadata len 408
2021-04-01 16:27:09
/Common/demo.abc.com_access_process:Common:6a686a68: Found HTTP 401 response for SSO configuration '/Common/KConnect-sso-kerberos' type:'kerberos'
2021-04-01 16:27:09
/Common/demo.abc.com_access_process:Common:6a686a68: Websso Kerberos authentication for user 'usertest1' using config '/Common/KConnect-sso-kerberos'
2021-04-01 16:27:09
/Common/demo.abc.com_access_process:Common:6a686a68: adding item to WorkQueue
2021-04-01 16:27:09
/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 server address = ::ffff:10.19.89.79
2021-04-01 16:27:09
/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 SPN = HTTP/demo.sap.abc.com@US.ABC.COM
2021-04-01 16:27:09
S4U ======> /Common/demo.abc.com_access_process:Common:6a686a68: ctx: 0x9619110, user: usertest1@US.ABC.COM, SPN: HTTP/demo.sap.abc.com@US.ABC.COM
2021-04-01 16:33:20
/Common/demo.abc.com_access_process:Common:6a686a68: metadata len 408
2021-04-01 16:33:20
/Common/demo.abc.com_access_process:Common:6a686a68: Found HTTP 401 response for SSO configuration '/Common/KConnect-sso-kerberos' type:'kerberos'
2021-04-01 16:33:20
/Common/demo.abc.com_access_process:Common:6a686a68: Websso Kerberos authentication for user 'usertest1' using config '/Common/KConnect-sso-kerberos'
2021-04-01 16:33:20
/Common/demo.abc.com_access_process:Common:6a686a68: adding item to WorkQueue
2021-04-01 16:33:20
/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 server address = ::ffff:10.19.89.79
2021-04-01 16:33:20
/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 SPN = HTTP/demo.sap.abc.com@US.ABC.COM
2021-04-01 16:33:20
S4U ======> /Common/demo.abc.com_access_process:Common:6a686a68: ctx: 0x9619110, user: usertest1@US.ABC.COM, SPN: HTTP/demo.sap.abc.com@US.ABC.COM
2021-04-01 16:39:31
/Common/demo.abc.com_access_process:Common:6a686a68: metadata len 408
2021-04-01 16:39:31
/Common/demo.abc.com_access_process:Common:6a686a68: Found HTTP 401 response for SSO configuration '/Common/KConnect-sso-kerberos' type:'kerberos'
2021-04-01 16:39:31
/Common/demo.abc.com_access_process:Common:6a686a68: Websso Kerberos authentication for user 'usertest1' using config '/Common/KConnect-sso-kerberos'
2021-04-01 16:39:31
/Common/demo.abc.com_access_process:Common:6a686a68: adding item to WorkQueue
2021-04-01 16:39:31
/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x987ee48 server address = ::ffff:10.19.89.79
2021-04-01 16:39:31
/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x987ee48 SPN = HTTP/demo.sap.abc.com@US.ABC.COM
2021-04-01 16:39:31
S4U ======> /Common/demo.abc.com_access_process:Common:6a686a68: ctx: 0x987ee48, user: usertest1@US.ABC.COM, SPN: HTTP/demo.sap.abc.com@US.ABC.COM
2021-04-01 16:45:44
/Common/demo.abc.com_access_process:Common:6a686a68: metadata len 408
2021-04-01 16:45:44
/Common/demo.abc.com_access_process:Common:6a686a68: Found HTTP 401 response for SSO configuration '/Common/KConnect-sso-kerberos' type:'kerberos'
2021-04-01 16:45:44
/Common/demo.abc.com_access_process:Common:6a686a68: Websso Kerberos authentication for user 'usertest1' using config '/Common/KConnect-sso-kerberos'
2021-04-01 16:45:44
/Common/demo.abc.com_access_process:Common:6a686a68: adding item to WorkQueue
2021-04-01 16:45:44
/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x987ee48 server address = ::ffff:10.19.89.79
2021-04-01 16:45:44
/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x987ee48 SPN = HTTP/demo.sap.abc.com@US.ABC.COM
2021-04-01 16:45:44
S4U ======> /Common/demo.abc.com_access_process:Common:6a686a68: ctx: 0x987ee48, user: usertest1@US.ABC.COM, SPN: HTTP/demo.sap.abc.com@US.ABC.COM
2021-04-01 16:51:59
/Common/demo.abc.com_access_process:Common:6a686a68: metadata len 408
2021-04-01 16:52:00
/Common/demo.abc.com_access_process:Common:6a686a68: Found HTTP 401 response for SSO configuration '/Common/KConnect-sso-kerberos' type:'kerberos'
- spalandeNacreous
It appears you are trying to achieve the server side Kerberos SSO. From the error it appears DC is responding back with 401 response. Please check if you have correctly followed all the steps as per below
https://devcentral.f5.com/s/articles/apm-cookbook-single-sign-on-sso-using-kerberos
- create new service account
- set SPN and set it's properties
- reverse DNS
- create Kerberos SSO profile using service account credentials
- Setup VPE policy using SSO credentials mapping.
If you are still getting error analyse the wireshark capture and APM logs again. Try to get help from your active directory team also to troublesoot
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com