Forum Discussion

Doug_Pruiett_24's avatar
Doug_Pruiett_24
Icon for Nimbostratus rankNimbostratus
Feb 08, 2016

Multiple Windows Authentication Prompts after F5 Authentication

I am not the principle engineer on this issue, nor an F5 expert. I am part of a project that uses F5 and doing a little research to see if I can find help for an issue we are having.   The desire...
Secure Web Gateway
security
Michael_Jenkins's avatar
Michael_Jenkins
Icon for Cirrostratus rankCirrostratus
Feb 08, 2016

@Kevin: I've tested to make sure that the SSO profile should work by creating a basic VIP with a basic access policy that uses it (not portal access policy though) and it's working fine. If I turn the SSO log level to Debug I can see where the Kerberos SSO profile is selected, and all the other pertinent logs are there:

 

Feb  8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: ssoMethod: kerberos usernameSource: session.logon.last.username userRealmSource: session.ad.last.actualdomain Realm: EXAMPLE.COM KDC:  AccountName: host/kerberos_test_user.EXAMPLE.COM@EXAMPLE.COM spnPatterh: HTTP/%s@EXAMPLE.COM TicketLifetime: 600 UseClientcert: 0 SendAuthorization: 0
Feb  8 14:21:58 xxxxx info websso.1[99999]: 99999999:9: 129e9c1a: Websso Kerberos authentication for user 'user_name' using config '/Common/KERBEROS_SSO_PROFILE'
Feb  8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: sid:129e9c1a ctx:0x5a8c1120 SPN = HTTP/server_name.EXAMPLE.COM@EXAMPLE.COM
Feb  8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: S4U ======> ctx: 129e9c1a, sid: 0x5a8c1120, user: user_name@EXAMPLE.COM, SPN: HTTP/server_name.EXAMPLE.COM@EXAMPLE.COM
Feb  8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: Getting UCC:user_name@EXAMPLE.COM@EXAMPLE.COM, lifetime:36000
Feb  8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: Found UCC:user_name@EXAMPLE.COM@EXAMPLE.COM, lifetime:36000 left:30505
Feb  8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: S4U ======> - we have cached S4U2Proxy ticket for user: user_name@EXAMPLE.COM server: HTTP/server_name.EXAMPLE.COM@EXAMPLE.COM
Feb  8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: S4U ======> OK!
Feb  8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: GSSAPI: Server: HTTP/server_name.EXAMPLE.COM@EXAMPLE.COM, User: user_name@EXAMPLE.COM
Feb  8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: GSSAPI Init_sec_context returned code 0
Feb  8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: GSSAPI token of length 2834 bytes will be sent back

However, when I try to hit the site through the other access policy (portal access with url rewriting), the only related log entries are:

 

Feb  8 14:21:26 xxxxx debug websso.1[99999]: 99999999:9: ssoMethod: kerberos usernameSource: session.logon.last.username userRealmSource: session.ad.last.actualdomain Realm: EXAMPLE.COM KDC:  AccountName: host/kerberos_test_user.EXAMPLE.COM@EXAMPLE.COM spnPatterh: HTTP/%s@EXAMPLE.COM TicketLifetime: 600 UseClientcert: 0 SendAuthorization: 0
Feb  8 14:21:26 xxxxx info websso.1[99999]: 99999999:9: d35aac43: Websso Kerberos authentication for user 'user_name' using config '/Common/KERBEROS_SSO_PROFILE'

One of the only differences here I guess would be that on the test VIP it's defaulting to the kerberos sso profile and the VIP is using the ssrs pool to send traffic. On the portal access VIP (that's failing), it's using a hostname (f5-w-xyz$$) for a VIP that uses that same pool. Not sure if that makes a difference.

 

To answer you questions though:

 

  1. I don't have an SPN pattern defined, so it's just using the default.
  2. The target VIP that's load balancing the multiple servers has an associated hostname (which I'm allowing the delegation account access to)
  3. That hostname does resolve in DNS to the F5 VIP.