Forum Discussion
AltocumulusKerberose can't get get user ticket, KDC not seeing any traffic from APM
Kerberose can't get get user ticket.
We are getting the error Kerberos cant get user ticket, client not found in database.
We are using constrained delgation 1. Where we have a service accoutn name as HOST/ 2. We are delegating the SPN HTTP/poc.abc.com on it. Constrained delegation is added. 3. We are using Account name in SSO profile as HOST/test.abc.com@ABC.COM 4. Realm ABC.COM
KDC filed is blank and KDC and realm are specified statically in the KRB5.CONF file.
While checking we are not even seeing the hits on mentioned KDC from F5 for kerberos ticket.
But when I do a general check for the account test.abc.com using kinit I get the kerberos ticket for this account. kinit test.abc.com@ABC.COM
Is anyonve aware how we can test if the APM is actually send the kerberos request out, to what KDC(we have 5 KDC configured].
8 Replies
Can you post the part of the APM logging where the kerberos error occurs here?(with SSO on debug).
Cheers,
Kees
kunjan_118660Cumulonimbus
I think its the problem with the delegation account. if kinit test.abc.com@ABC.COM works you should use the same user id test.abc.com@ABC.COM for SSO config. Not with 'HOST/', unless you create the account as 'HOST/'
The account name should be without HOST/
Cheers,
Kees
kunjanNimbostratus
I think its the problem with the delegation account. if kinit test.abc.com@ABC.COM works you should use the same user id test.abc.com@ABC.COM for SSO config. Not with 'HOST/', unless you create the account as 'HOST/'
The account name should be without HOST/
Cheers,
Kees
Stanislas_Piro2Hi,
To create a Kerberos SSO, I use the following commands:
Powershell commands on AD
New-ADUser -Name "APM Delegation Account" -UserPrincipalName svc_f5_krb@demo.local -SamAccountName "svc_f5_krb" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force) Add SPN attribute to account (same as setspn command) Set-AdUser -Identity svc_f5_krb -ServicePrincipalNames @{Add="host/svc_f5_krb.demo.local"} Assign the delegation right to the site app1.demo.local Get-AdUser -Identity svc_f5_krb | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="http/app1.demo.local"} Change delegation right to mode : Trust this user for delegation to specific service only / Use any authentication Protocol Set-ADAccountControl -Identity svc_f5_krb -TrustedForDelegation $false Set-ADAccountControl -Identity svc_f5_krb -TrustedToAuthForDelegation $trueBigIP tmsh commands
SPN discovered by reverse DNS lookup of pool member IP create apm sso kerberos SSO_KRB_machine { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.1.250 realm DEMO.LOCAL user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }Or
SPN is request Host header value create apm sso kerberos SSO_KRB_AppPool { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.1.250 realm DEMO.LOCAL spn-pattern HTTP/%h user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }If kerberos is configured in multi domain forest, username format must be host/svc_f5_krb.demo.local
- pushkar_misra_2
Sorry I missed to update the solution. I did a capture on port 88 to review the Kerbers packets which gave me the exact KDC and the error as Principal name unknown. It turned out that the service account needed to be in WAA and PreWin2k group to avoid the error.
- ivanbermejocham
You saved my life.... I was getting the same error and the solution was the same. There should be some info about this in APM Cookbook.
