Forum Discussion
Multiple Login Attempts Required for Kerberos Constrained Delegation (KCD)
Has anyone run into an issue in which it took 2 or more authentication attempts to finally successfully log into an application using KCD? Below is an example of the use case I am referencing where it takes 3 authentication attempts before a successful login.
Attempt 1: Failed to get a forwardable ticket and SSO halts
Manually Delete Session in APM
Attempt 2: Failed to get forwardable ticket though has a cached ticket
Manually Delete Session in APM
Attempt 3: Has cached ticket and SSO works as expected.
Manually Delete Session and bigstart restart websso to reproduce from attempt 1
Attempt 1 from APM Logs
[:uri][/mysite/Home/Login?id=100
Fetched new TGT, total active TGTs:1
S4U ======> - fetched S4U2Self ticket for user: user
S4U ======> trying to fetch S4U2Proxy ticket for user: user
Requesting ticket can't get forwardable tickets (-1765328163)
Halted SSO retry for request
Session deleted due to admin initiated termination.
Attempt 2 from APM Logs
[:uri][/mysite/Home/Login?id=100
S4U ======> - we have cached S4U2Proxy ticket for user:
S4U ======> OK!
[:uri][/mysite/Home/...
S4U ======> - we have cached S4U2Proxy ticket for user:
S4U ======> OK!
[:uri][/mysite/jquery
S4U ======> - we have cached S4U2Proxy ticket for user:
S4U ======> OK!
S4U ======> - NO cached S4U2Proxy ticket for user:
Requesting ticket can't get forwardable tickets (-1765328163)
S4U ======> - we have cached S4U2Proxy ticket for user:
failure occurred when processing the work item
S4U ======> OK!
Session deleted due to admin initiated termination.
Attempt 3 from APM Logs
[:uri][/mysite/Home/Login?id=100]
S4U ======> - we have cached S4U2Proxy ticket for user:
S4U ======> OK!
[:uri][/mysite/Home/...
S4U ======> - we have cached S4U2Proxy ticket for user:
S4U ======> OK!
[:uri][/mysite/jquery
S4U ======> - we have cached S4U2Proxy ticket for user:
S4U ======> OK!
Stanislas_Piro2Cumulonimbus
Is it a multi domain or single domain forest?
Did you configure kdc or did you let the field blank?
If you let it blank, is the bigip allowed to contact all kdc servers?
Single domain forest with KDC defined. A tcpdump was taken from the BIG-IP and a Wireshark capture from the KDC.
KRB5KDC_ERR_PREAUTH_REQUIRED KRB5KRB_ERR_RESPONSE_TOO_BIG AS-REQ AS-REP TGS-REQ TGS-REP pa-data pa-s4u-X509-user padata-type:kRB5-PADATA-FOR-X509-USER (130)
The padata is the one thing that does not seem to always be consistent but I have no idea if that is an issue or not. My expectation would be that each TGS-REP from the KDC would be identical as it is for the same exact user/principal/service. I see some responses with padata and others without.
Delegation Info in AD.
I am going to take a capture of a successful authentication and look to see if the TGS-REP differs for s4u2user and s4u2proxy. Could be what I am seeing.
- Stanislas_Piro2
Can you check bigip clock is synchronized with AD?
