Kerberos ticket not working

Question

Kerberos ticket is not processed fully. My web application does not show in browser. It is just waiting. The APM Debug logs looks like this. Any suggestion or recommendation. I don't see any error.

01 16:20:57

/Common/demo.abc.com_access_process:Common:6a686a68: adding item to WorkQueue

2021-04-01 16:20:57

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 server address = ::ffff:10.19.89.79

2021-04-01 16:20:57

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 SPN = HTTP/demo.sap.abc.com@US.ABC.COM

2021-04-01 16:20:57

S4U ======> /Common/demo.abc.com_access_process:Common:6a686a68: ctx: 0x9619110, user: usertest1@US.ABC.COM, SPN: HTTP/demo.sap.abc.com@US.ABC.COM

2021-04-01 16:27:09

/Common/demo.abc.com_access_process:Common:6a686a68: metadata len 408

2021-04-01 16:27:09

/Common/demo.abc.com_access_process:Common:6a686a68: Found HTTP 401 response for SSO configuration '/Common/KConnect-sso-kerberos' type:'kerberos'

2021-04-01 16:27:09

/Common/demo.abc.com_access_process:Common:6a686a68: Websso Kerberos authentication for user 'usertest1' using config '/Common/KConnect-sso-kerberos'

2021-04-01 16:27:09

/Common/demo.abc.com_access_process:Common:6a686a68: adding item to WorkQueue

2021-04-01 16:27:09

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 server address = ::ffff:10.19.89.79

2021-04-01 16:27:09

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 SPN = HTTP/demo.sap.abc.com@US.ABC.COM

2021-04-01 16:27:09

S4U ======> /Common/demo.abc.com_access_process:Common:6a686a68: ctx: 0x9619110, user: usertest1@US.ABC.COM, SPN: HTTP/demo.sap.abc.com@US.ABC.COM

2021-04-01 16:33:20

/Common/demo.abc.com_access_process:Common:6a686a68: metadata len 408

2021-04-01 16:33:20

/Common/demo.abc.com_access_process:Common:6a686a68: Found HTTP 401 response for SSO configuration '/Common/KConnect-sso-kerberos' type:'kerberos'

2021-04-01 16:33:20

/Common/demo.abc.com_access_process:Common:6a686a68: Websso Kerberos authentication for user 'usertest1' using config '/Common/KConnect-sso-kerberos'

2021-04-01 16:33:20

/Common/demo.abc.com_access_process:Common:6a686a68: adding item to WorkQueue

2021-04-01 16:33:20

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 server address = ::ffff:10.19.89.79

2021-04-01 16:33:20

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 SPN = HTTP/demo.sap.abc.com@US.ABC.COM

2021-04-01 16:33:20

S4U ======> /Common/demo.abc.com_access_process:Common:6a686a68: ctx: 0x9619110, user: usertest1@US.ABC.COM, SPN: HTTP/demo.sap.abc.com@US.ABC.COM

2021-04-01 16:39:31

/Common/demo.abc.com_access_process:Common:6a686a68: metadata len 408

2021-04-01 16:39:31

/Common/demo.abc.com_access_process:Common:6a686a68: Found HTTP 401 response for SSO configuration '/Common/KConnect-sso-kerberos' type:'kerberos'

2021-04-01 16:39:31

/Common/demo.abc.com_access_process:Common:6a686a68: Websso Kerberos authentication for user 'usertest1' using config '/Common/KConnect-sso-kerberos'

2021-04-01 16:39:31

/Common/demo.abc.com_access_process:Common:6a686a68: adding item to WorkQueue

2021-04-01 16:39:31

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x987ee48 server address = ::ffff:10.19.89.79

2021-04-01 16:39:31

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x987ee48 SPN = HTTP/demo.sap.abc.com@US.ABC.COM

2021-04-01 16:39:31

S4U ======> /Common/demo.abc.com_access_process:Common:6a686a68: ctx: 0x987ee48, user: usertest1@US.ABC.COM, SPN: HTTP/demo.sap.abc.com@US.ABC.COM

2021-04-01 16:45:44

/Common/demo.abc.com_access_process:Common:6a686a68: metadata len 408

2021-04-01 16:45:44

/Common/demo.abc.com_access_process:Common:6a686a68: Found HTTP 401 response for SSO configuration '/Common/KConnect-sso-kerberos' type:'kerberos'

2021-04-01 16:45:44

/Common/demo.abc.com_access_process:Common:6a686a68: Websso Kerberos authentication for user 'usertest1' using config '/Common/KConnect-sso-kerberos'

2021-04-01 16:45:44

/Common/demo.abc.com_access_process:Common:6a686a68: adding item to WorkQueue

2021-04-01 16:45:44

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x987ee48 server address = ::ffff:10.19.89.79

2021-04-01 16:45:44

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x987ee48 SPN = HTTP/demo.sap.abc.com@US.ABC.COM

2021-04-01 16:45:44

S4U ======> /Common/demo.abc.com_access_process:Common:6a686a68: ctx: 0x987ee48, user: usertest1@US.ABC.COM, SPN: HTTP/demo.sap.abc.com@US.ABC.COM

2021-04-01 16:51:59

/Common/demo.abc.com_access_process:Common:6a686a68: metadata len 408

2021-04-01 16:52:00

/Common/demo.abc.com_access_process:Common:6a686a68: Found HTTP 401 response for SSO configuration '/Common/KConnect-sso-kerberos' type:'kerberos'

spalande · Answer

It appears you are trying to achieve the server side Kerberos SSO. From the error it appears DC is responding back with 401 response. Please check if you have correctly followed all the steps as per below

https://devcentral.f5.com/s/articles/apm-cookbook-single-sign-on-sso-using-kerberos

create new service account
set SPN and set it's properties
reverse DNS
create Kerberos SSO profile using service account credentials
Setup VPE policy using SSO credentials mapping.

If you are still getting error analyse the wireshark capture and APM logs again. Try to get help from your active directory team also to troublesoot

Forum Discussion

Kerberos ticket not working

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

APM - show Kerberos Tickets

Extract Citrix Secure Ticket Authority (STA)

I want the APM to do Kerberos Authentication then pass the Kerberos ticket over to another System.

Kerberos is Easy - Part 2

BIG-IP Next Automation: Working with the AS3 API endpoints

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS