Forum Discussion
pushkar_misra_2
Altocumulus
AltocumulusKerberose can't get get user ticket, KDC not seeing any traffic from APM
Kerberose can't get get user ticket.
We are getting the error Kerberos cant get user ticket, client not found in database.
We are using constrained delgation
1. Where we have a service acco...
Stanislas_Piro2
Cumulonimbus
CumulonimbusHi,
To create a Kerberos SSO, I use the following commands:
Powershell commands on AD
New-ADUser -Name "APM Delegation Account" -UserPrincipalName svc_f5_krb@demo.local -SamAccountName "svc_f5_krb" -PasswordNeverExpires $true -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force)
Add SPN attribute to account (same as setspn command)
Set-AdUser -Identity svc_f5_krb -ServicePrincipalNames @{Add="host/svc_f5_krb.demo.local"}
Assign the delegation right to the site app1.demo.local
Get-AdUser -Identity svc_f5_krb | Set-ADObject -Add @{"msDS-AllowedToDelegateTo"="http/app1.demo.local"}
Change delegation right to mode : Trust this user for delegation to specific service only / Use any authentication Protocol
Set-ADAccountControl -Identity svc_f5_krb -TrustedForDelegation $false
Set-ADAccountControl -Identity svc_f5_krb -TrustedToAuthForDelegation $true
BigIP tmsh commands
SPN discovered by reverse DNS lookup of pool member IP
create apm sso kerberos SSO_KRB_machine { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.1.250 realm DEMO.LOCAL user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }
Or
SPN is request Host header value
create apm sso kerberos SSO_KRB_AppPool { account-name svc_f5_krb account-password P@ssw0rd kdc 192.168.1.250 realm DEMO.LOCAL spn-pattern HTTP/%h user-realm-source session.krbsso.last.domain username-source session.krbsso.last.username }
If kerberos is configured in multi domain forest, username format must be host/svc_f5_krb.demo.local
