kerberos

Question

We are trying to setup Kerberos SSO and getting the following errors (see logs below).  
&nbsp;
Currently we pull a username from a SAML Auth and that part works.  We use a variable assign in the Access Profile to assign it to session.logon.last.username and that works fine.  We also used a variable assign to assign session.ad.last.actualdomain = text DOMAIN.COM.  We then created a Kerberos SSO Config per the screenshot. We have tried several variations such as putting in the IP of the KDC and specifying the SPN pattern. We can connect with the service account with both adtest and kinit:&nbsp;
adtest -t auth -r "DOMAIN.COM" -u srv-ssrs -w XXXXXXXXXXXXXXXXXXX
Test done: total tests: 1, success=1, failure=0&nbsp;
[ttaylor@dc-f5-apmp02:Active:Changes Pending] log  kinit HTTP/host.fqdn.com@DOMAIN.COM
Password for HTTP/host.fqdn.com@DOMAIN.COM:
[ttaylor@dc-f5-apmp02:Active:Changes Pending] log  klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/host.fqdn.com@DOMAIN.COM&nbsp;
Valid starting     Expires            Service principal
02/06/19 12:22:23  02/06/19 22:22:53  krbtgt/DOMAIN.COM@DOMAIN.COM
        renew until 02/07/19 12:22:23&nbsp;
&nbsp;
My thought is that there is a problem with the AD/Kerberos setup side of things. Any ideas on what we could look for?  
&nbsp;
Any help is appreciated. &nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: ssoMethod: kerberos usernameSource: session.sso.token.last.username userRealmSource: session.ad.last.actualdomain Realm: DOMAIN.COM KDC:  AccountName: HTTP/srv-ssrs spnPatterh: HTTP/%s@DOMAIN.COM TicketLifetime: 600 UseClientcert: 0 SendAuthorization: 0&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: ctx: 0x8bc1618, CLIENT: TMEVT_REQUEST&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: ctx: 0x8bc1618, CLIENT: TMEVT_REQUEST_DONE&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: ctx: 0x8bc1618, CLIENT: TMEVT_SESSION_RESULT&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: ctx: 0x8bc1618, CLIENT: TMEVT_SESSION_RESULT&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: ctx: 0x8bc1618, CLIENT: TMEVT_SESSION_RESULT&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: ctx: 0x8bc1940, SERVER: TMEVT_REQUEST&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 info websso.0[22715]: 014d0011:6: /Common/okta-ssrs-ap:Common:a0eacb61: Websso Kerberos authentication for user 'taytro' using config '/Common/ssrs-kerberos-sso'&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0046:7: /Common/okta-ssrs-ap:Common:a0eacb61: adding item to WorkQueue&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0018:7: /Common/okta-ssrs-ap:Common:a0eacb61: ctx:0x8bc1618 server address = ::ffff:172.17.32.84&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0021:7: /Common/okta-ssrs-ap:Common:a0eacb61: ctx:0x8bc1618 SPN = HTTP/per-edaprs01@DOMAIN.COM&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0023:7: S4U ======&gt; /Common/okta-ssrs-ap:Common:a0eacb61: ctx: 0x8bc1618, user: taytro@DOMAIN.COM, SPN: HTTP/per-edaprs01@DOMAIN.COM&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: Getting UCC:taytro@DOMAIN.COM@DOMAIN.COM, lifetime:36000&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: Found UCC:taytro@DOMAIN.COM@DOMAIN.COM, lifetime:36000 left:31779&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: UCCmap.size = 2&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: S4U ======&gt; - NO cached S4U2Proxy ticket for user: taytro@DOMAIN.COM server: HTTP/per-edaprs01@DOMAIN.COM - trying to fetch&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: S4U ======&gt; - NO cached S4U2Self ticket for user: taytro@DOMAIN.COM - trying to fetch&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 err websso.0[22715]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user taytro@DOMAIN.COM - Matching credential not found (-1765328243)&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 err websso.0[22715]: 014d0024:3: /Common/okta-ssrs-ap:Common:a0eacb61: Kerberos: Failed to get ticket for user taytro@DOMAIN.COM&nbsp;
Feb  6 11:55:39 dc-f5-apmp02 err websso.0[22715]: 014d0048:3: /Common/okta-ssrs-ap:Common:a0eacb61: failure occurred when processing the workitem&nbsp;

dromerot · Answer

Hi Troyt,&nbsp;I have exactly the same problem. I have this error:&nbsp;Feb 10 11:16:24 F5 err websso.1[28958]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user user@DOMAIN.LOCAL - Matching credential not found (-1765328243)&nbsp;Do you know how to fix this issue?&nbsp;Thanks, best regards.

Forum Discussion

kerberos

Recent Discussions

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Need Urgent BIGIP Trial License and VM Image

APM for banner and cert

How to Renew F5 Device Certificate

UCS backup not loading Big IP DNS pool

Related Content

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

Kerberos is Easy - Part 2

Kerberos Is Easy - Part 1

APM Cookbook: Single Sign On (SSO) using Kerberos

Transparent Kerberos Authentication and APM fallback authentication

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS