Forum Discussion

Raghbir_Sandhu's avatar
Raghbir_Sandhu
Icon for Altocumulus rankAltocumulus
Apr 01, 2021

Kerberos ticket not working

Kerberos ticket is not processed fully. My web application does not show in browser. It is just waiting. The APM Debug logs looks like this. Any suggestion or recommendation. I don't see any error.

 

01 16:20:57

/Common/demo.abc.com_access_process:Common:6a686a68: adding item to WorkQueue

2021-04-01 16:20:57

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 server address = ::ffff:10.19.89.79

 

2021-04-01 16:20:57

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 SPN = HTTP/demo.sap.abc.com@US.ABC.COM

2021-04-01 16:20:57

S4U ======> /Common/demo.abc.com_access_process:Common:6a686a68: ctx: 0x9619110, user: usertest1@US.ABC.COM, SPN: HTTP/demo.sap.abc.com@US.ABC.COM

 

2021-04-01 16:27:09

/Common/demo.abc.com_access_process:Common:6a686a68: metadata len 408

2021-04-01 16:27:09

/Common/demo.abc.com_access_process:Common:6a686a68: Found HTTP 401 response for SSO configuration '/Common/KConnect-sso-kerberos' type:'kerberos'

 

2021-04-01 16:27:09

/Common/demo.abc.com_access_process:Common:6a686a68: Websso Kerberos authentication for user 'usertest1' using config '/Common/KConnect-sso-kerberos'

2021-04-01 16:27:09

/Common/demo.abc.com_access_process:Common:6a686a68: adding item to WorkQueue

 

2021-04-01 16:27:09

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 server address = ::ffff:10.19.89.79

2021-04-01 16:27:09

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 SPN = HTTP/demo.sap.abc.com@US.ABC.COM

 

2021-04-01 16:27:09

S4U ======> /Common/demo.abc.com_access_process:Common:6a686a68: ctx: 0x9619110, user: usertest1@US.ABC.COM, SPN: HTTP/demo.sap.abc.com@US.ABC.COM

2021-04-01 16:33:20

/Common/demo.abc.com_access_process:Common:6a686a68: metadata len 408

 

2021-04-01 16:33:20

/Common/demo.abc.com_access_process:Common:6a686a68: Found HTTP 401 response for SSO configuration '/Common/KConnect-sso-kerberos' type:'kerberos'

2021-04-01 16:33:20

/Common/demo.abc.com_access_process:Common:6a686a68: Websso Kerberos authentication for user 'usertest1' using config '/Common/KConnect-sso-kerberos'

 

2021-04-01 16:33:20

/Common/demo.abc.com_access_process:Common:6a686a68: adding item to WorkQueue

2021-04-01 16:33:20

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 server address = ::ffff:10.19.89.79

 

2021-04-01 16:33:20

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x9619110 SPN = HTTP/demo.sap.abc.com@US.ABC.COM

2021-04-01 16:33:20

S4U ======> /Common/demo.abc.com_access_process:Common:6a686a68: ctx: 0x9619110, user: usertest1@US.ABC.COM, SPN: HTTP/demo.sap.abc.com@US.ABC.COM

 

2021-04-01 16:39:31

/Common/demo.abc.com_access_process:Common:6a686a68: metadata len 408

2021-04-01 16:39:31

/Common/demo.abc.com_access_process:Common:6a686a68: Found HTTP 401 response for SSO configuration '/Common/KConnect-sso-kerberos' type:'kerberos'

 

2021-04-01 16:39:31

/Common/demo.abc.com_access_process:Common:6a686a68: Websso Kerberos authentication for user 'usertest1' using config '/Common/KConnect-sso-kerberos'

2021-04-01 16:39:31

/Common/demo.abc.com_access_process:Common:6a686a68: adding item to WorkQueue

 

2021-04-01 16:39:31

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x987ee48 server address = ::ffff:10.19.89.79

2021-04-01 16:39:31

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x987ee48 SPN = HTTP/demo.sap.abc.com@US.ABC.COM

 

2021-04-01 16:39:31

S4U ======> /Common/demo.abc.com_access_process:Common:6a686a68: ctx: 0x987ee48, user: usertest1@US.ABC.COM, SPN: HTTP/demo.sap.abc.com@US.ABC.COM

2021-04-01 16:45:44

/Common/demo.abc.com_access_process:Common:6a686a68: metadata len 408

 

2021-04-01 16:45:44

/Common/demo.abc.com_access_process:Common:6a686a68: Found HTTP 401 response for SSO configuration '/Common/KConnect-sso-kerberos' type:'kerberos'

2021-04-01 16:45:44

/Common/demo.abc.com_access_process:Common:6a686a68: Websso Kerberos authentication for user 'usertest1' using config '/Common/KConnect-sso-kerberos'

 

2021-04-01 16:45:44

/Common/demo.abc.com_access_process:Common:6a686a68: adding item to WorkQueue

2021-04-01 16:45:44

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x987ee48 server address = ::ffff:10.19.89.79

 

2021-04-01 16:45:44

/Common/demo.abc.com_access_process:Common:6a686a68: ctx:0x987ee48 SPN = HTTP/demo.sap.abc.com@US.ABC.COM

2021-04-01 16:45:44

S4U ======> /Common/demo.abc.com_access_process:Common:6a686a68: ctx: 0x987ee48, user: usertest1@US.ABC.COM, SPN: HTTP/demo.sap.abc.com@US.ABC.COM

 

2021-04-01 16:51:59

/Common/demo.abc.com_access_process:Common:6a686a68: metadata len 408

2021-04-01 16:52:00

/Common/demo.abc.com_access_process:Common:6a686a68: Found HTTP 401 response for SSO configuration '/Common/KConnect-sso-kerberos' type:'kerberos'

 

 

 

  • It appears you are trying to achieve the server side Kerberos SSO. From the error it appears DC is responding back with 401 response. Please check if you have correctly followed all the steps as per below

     

    https://devcentral.f5.com/s/articles/apm-cookbook-single-sign-on-sso-using-kerberos

     

    • create new service account
    • set SPN and set it's properties
    • reverse DNS
    • create Kerberos SSO profile using service account credentials
    • Setup VPE policy using SSO credentials mapping.

     

    If you are still getting error analyse the wireshark capture and APM logs again. Try to get help from your active directory team also to troublesoot