I am not the principle engineer on this issue, nor an F5 expert. I am part of a project that uses F5 and doing a little research to see if I can find help for an issue we are having. The desired scenario as I understand it is as follows: We send by email a SQL Server Reporting Services (SSrS) report to a recipient.In the email message body are hyperlinks that when clicked are supposed to route the user through our F5 onto the SSrS report manager, where a report is then run and displayed.The user clicks the hyperlink in the email and is prompted by F5 for their domain credentials.F5 routes them to the SSrS report manager site where the selected report is run and displayed.The report that is displayed also has within it hyperlinks that open another report on the SSrS report manager.The user clicks on one of these hyperlinks and the third report runs and displays. Here is the problem we are having: When the SSrS report manager was running on a single server, the user was prompted once by F5, routed to the report on the report manager, and the report ran and displayed. If the use clicked on a hyperlink in this second report, the third report ran and displayed. The user was only prompted for authentication credentials once (by F5) in this process.When the SSrS report manager is load-balanced on two servers, the user gets prompted for credentials by F5, then by Windows. If the user is on a domain-joined computer in the network, then he receives no further prompts as he moves from the second report to the third report. However, if the user is on a non-domain computer outside our network, when he clicks on a hyperlink in the second report, he is prompted again for Windows credentials (a variable number of times from once to five times or more). Sometimes the third report will come up if we cancel the authentication dialogue, other times not. Can anyone suggest what might be causing this phenomenon and what we might do to fix it? Thanks for any help.

the important thing to understand is where the subsequent authentication prompts are coming from. Assuming domain-joined clients are silently passing in an NTLM token (or even Kerberos ticket), then it would make sense that the application server is prompting for these credentials. Are you using APM? And if so, are you performing any SSO functions to the application server(s)?

APM Kerberos SSO will only intercept the 401 if you have the Send Authorization setting in the Kerberos SSO profile set to "On 401 Status Code". The "Always" option will send a preemptive Kerberos ticket. In either case, SSO must know how to retrieve a ticket to a give service, which is where I believe the problem lies. Before digging into the ugly details, let's establish that a service must be associated with a declared by a unique** service principal name (SPN), that SSO must be able to derive/find this SPN, and that the AD delegation account be able to delegate to that SPN. So in your SSO, Do you have a SPN pattern defined?Does the target service have a defined and unique SPN?Does the hostname in that SPN reverse resolve in AD DNS?

@Kevin: I've tested to make sure that the SSO profile should work by creating a basic VIP with a basic access policy that uses it (not portal access policy though) and it's working fine. If I turn the SSO log level to Debug I can see where the Kerberos SSO profile is selected, and all the other pertinent logs are there: Feb 8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: ssoMethod: kerberos usernameSource: session.logon.last.username userRealmSource: session.ad.last.actualdomain Realm: EXAMPLE.COM KDC: AccountName: host/kerberos_test_user.EXAMPLE.COM@EXAMPLE.COM spnPatterh: HTTP/%s@EXAMPLE.COM TicketLifetime: 600 UseClientcert: 0 SendAuthorization: 0 Feb 8 14:21:58 xxxxx info websso.1[99999]: 99999999:9: 129e9c1a: Websso Kerberos authentication for user 'user_name' using config '/Common/KERBEROS_SSO_PROFILE' Feb 8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: sid:129e9c1a ctx:0x5a8c1120 SPN = HTTP/server_name.EXAMPLE.COM@EXAMPLE.COM Feb 8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: S4U ======> ctx: 129e9c1a, sid: 0x5a8c1120, user: user_name@EXAMPLE.COM, SPN: HTTP/server_name.EXAMPLE.COM@EXAMPLE.COM Feb 8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: Getting UCC:user_name@EXAMPLE.COM@EXAMPLE.COM, lifetime:36000 Feb 8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: Found UCC:user_name@EXAMPLE.COM@EXAMPLE.COM, lifetime:36000 left:30505 Feb 8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: S4U ======> - we have cached S4U2Proxy ticket for user: user_name@EXAMPLE.COM server: HTTP/server_name.EXAMPLE.COM@EXAMPLE.COM Feb 8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: S4U ======> OK! Feb 8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: GSSAPI: Server: HTTP/server_name.EXAMPLE.COM@EXAMPLE.COM, User: user_name@EXAMPLE.COM Feb 8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: GSSAPI Init_sec_context returned code 0 Feb 8 14:21:58 xxxxx debug websso.1[99999]: 99999999:9: GSSAPI token of length 2834 bytes will be sent backHowever, when I try to hit the site through the other access policy (portal access with url rewriting), the only related log entries are: Feb 8 14:21:26 xxxxx debug websso.1[99999]: 99999999:9: ssoMethod: kerberos usernameSource: session.logon.last.username userRealmSource: session.ad.last.actualdomain Realm: EXAMPLE.COM KDC: AccountName: host/kerberos_test_user.EXAMPLE.COM@EXAMPLE.COM spnPatterh: HTTP/%s@EXAMPLE.COM TicketLifetime: 600 UseClientcert: 0 SendAuthorization: 0 Feb 8 14:21:26 xxxxx info websso.1[99999]: 99999999:9: d35aac43: Websso Kerberos authentication for user 'user_name' using config '/Common/KERBEROS_SSO_PROFILE'One of the only differences here I guess would be that on the test VIP it's defaulting to the kerberos sso profile and the VIP is using the ssrs pool to send traffic. On the portal access VIP (that's failing), it's using a hostname (f5-w-xyz$$) for a VIP that uses that same pool. Not sure if that makes a difference. To answer you questions though: I don't have an SPN pattern defined, so it's just using the default.The target VIP that's load balancing the multiple servers has an associated hostname (which I'm allowing the delegation account access to)That hostname does resolve in DNS to the F5 VIP.

I did add the hostname to the F5 hosts file so it could do a reverse lookup to the F5 VIP. Then I began getting a little further... Feb 8 15:40:05 xxxxx debug websso.1[99999]: 99999999:9: different sso config object received, name: /Common/KERBEROS_SSO_PROFILE, method: 5 Feb 8 15:40:05 xxxxx debug websso.1[99999]: 99999999:9: ssoMethod: kerberos usernameSource: session.logon.last.username userRealmSource: session.ad.last.actualdomain Realm: EXAMPLE.COM KDC: AccountName: host/kerberos_test_user.EXAMPLE.COM@EXAMPLE.COM spnPatterh: HTTP/%s@EXAMPLE.COM TicketLifetime: 600 UseClientcert: 0 SendAuthorization: 1 Feb 8 15:40:05 xxxxx info websso.1[99999]: 014d0014:6: 5634e025: Found HTTP 401 response for SSO configuration '/Common/KERBEROS_SSO_PROFILE' type:'kerberos' Feb 8 15:40:05 xxxxx info websso.1[99999]: 014d0011:6: 5634e025: Websso Kerberos authentication for user 'user_name' using config '/Common/KERBEROS_SSO_PROFILE' Feb 8 15:40:05 xxxxx debug websso.1[99999]: 014d0023:7: S4U ======> ctx: 5634e025, sid: 0x5a8472b0, user: user_name@EXAMPLE.COM, SPN: HTTP/ssrs.domain.com@EXAMPLE.COM Feb 8 15:40:05 xxxxx debug websso.1[99999]: 99999999:9: S4U ======> - NO cached S4U2Proxy ticket for user: user_name@EXAMPLE.COM server: HTTP/ssrs.domain.com@EXAMPLE.COM - trying to fetch Feb 8 15:40:05 xxxxx debug websso.1[99999]: 99999999:9: S4U ======> trying to fetch S4U2Proxy ticket for user: user_name@EXAMPLE.COM server: HTTP/ssrs.domain.com@EXAMPLE.COM But after this, I don't see anything else relating kerberos.

It's very likely then that the SSO is unable to derive the correct SPN for the target service. One option would be to create a separate VIP+SSO+access policy per portal site and then point the portal config at these VIPs. That way you can specifically define SPNs per application using a SPN pattern. But then a DNS PTR record may also solve the problem. ;)

Forum Discussion

Doug_Pruiett_24

Nimbostratus

Feb 08, 2016

Multiple Windows Authentication Prompts after F5 Authentication

I am not the principle engineer on this issue, nor an F5 expert. I am part of a project that uses F5 and doing a little research to see if I can find help for an issue we are having.

The desired scenario as I understand it is as follows:

We send by email a SQL Server Reporting Services (SSrS) report to a recipient.
In the email message body are hyperlinks that when clicked are supposed to route the user through our F5 onto the SSrS report manager, where a report is then run and displayed.
The user clicks the hyperlink in the email and is prompted by F5 for their domain credentials.
F5 routes them to the SSrS report manager site where the selected report is run and displayed.
The report that is displayed also has within it hyperlinks that open another report on the SSrS report manager.
The user clicks on one of these hyperlinks and the third report runs and displays.

Here is the problem we are having:

When the SSrS report manager was running on a single server, the user was prompted once by F5, routed to the report on the report manager, and the report ran and displayed. If the use clicked on a hyperlink in this second report, the third report ran and displayed. The user was only prompted for authentication credentials once (by F5) in this process.
When the SSrS report manager is load-balanced on two servers, the user gets prompted for credentials by F5, then by Windows. If the user is on a domain-joined computer in the network, then he receives no further prompts as he moves from the second report to the third report. However, if the user is on a non-domain computer outside our network, when he clicks on a hyperlink in the second report, he is prompted again for Windows credentials (a variable number of times from once to five times or more). Sometimes the third report will come up if we cancel the authentication dialogue, other times not.

Can anyone suggest what might be causing this phenomenon and what we might do to fix it? Thanks for any help.

Secure Web Gateway

security

12 Replies

Michael_Jenkins
Cirrostratus
Feb 09, 2016
So it looks like I've got it working now. After all your help @Kevin, I realize that I didn't have delegation allowed on the host/kerberos_user account for the http/ssrs_user SPN (but did for the server accounts) which makes sense why it'd only work with them. I didn't realize I could search for a user to get the service principal. Once I added that to the user, it started working after I did one more thing.

The other issue was that on the ssrs_user account, the spn was set to
HTTP/ssrs.example.com
, and it didn't work. Once i removed that and added
http/ssrs.example.com
in its place, it started working. I'm guess case matters. 🙂

Thanks for all your help. It's helped me learn a lot of little things about Kerberos so far. I appreciate your expertise.
Doug_Pruiett_24
Nimbostratus
Feb 09, 2016
Thank you Kevin for all the great guidance you provided through this thread. Through your and Michael's work our SSrS reporting process can now proceed with beta testing. Great work all.