Non local kerberos realm

What's the format of the username? Is it in UPN format (bob@domain.com) or just simple name (bob)? If the former, does the submitted UPN match the userPrincipalName in the AD? And if so, is this using an alternate UPN suffix?

You should also be specifying the user's real domain in the session.logon.last.domain variable. APM Kerberos SSO won't chase Kerberos referrals so you have to tell it which domain the user belongs to. Try the short name (bob) and the real domain as SSO inputs.

Also if the UPN you're trying is using a domain alias (ie. doesn't exactly match the real domain name), then you MUST use the sAMAccountName (short) name.

Is this a FULL transitive trust, forest trust, or selective trust?

Okay, just to clarify, today it is a forest trust? Not selective or two-way non-transitive?

I am being told that it is a two way non-transitive trust with domain wide auth.

I was afraid of that. The base requirement for APM Kerberos SSO is a forest or two-way transitive trust. A selective trust can also work, but requires more configuration in the domain. APM Kerberos SSO performs Kerberos Constrained Delegation and Kerberos Protocol Transition. The latter is what requires the trust.

Either a forest (two-way transitive) or (explicit) external two-way trust will work.

A selective trust is defined within the parameters of an external two-way trust and will cause issues with Kerberos Protocol Transition. The following is a good article on that:

http://stackoverflow.com/questions/2320857/wcf-sspi-failure-with-external-trust-selective-versus-domain-wide

For SSO you don't specifically need to modify the /etc/krb5.conf, except for setting dns_lookup_kdc to true. The most important thing is that APM can resolve the KDCs of all of the domains.

With the proper trusts in place, if from the command line you can nslookup/dig the the domain names and return the KDCs, then:

a. Set APM SSO logging to debug and reply back here with that log

b. Capture the Kerberos traffic between APM and the KDC, either directly with Wireshark on the KDC or with tcpdump and import into Wireshark.

tcpdump -lnni 0.0 -Xs0 -w [write to file] port 88 [and any other filters]

You're getting a server principal unknown error and using **http/%h@DOMAIN1.DOMAIN.COM ** as the SPN pattern. This pattern implies that you're deriving the target SPN from the client's Host header. Is that what you intended?

You may have to do an LDAP/AD query to get the values you need, and then do a variable assignment in the visual policy.

Try this:

if { [mcget {session.sso.token.last.username}] contains "-ext" } { return "domain2.domain.com" } else { return "domain1.domain.com" }

Let's step back a bit. We know that if you very simply do a variable assignment in the visual policy with the correctly formatted names then it works. So the goal should be to take whatever subject value is coming from the SAML assertion and assign that, formatted as required, into the session variables needed for Kerberos SSO. If you're using sAMAccountName and correct domain in the working policy, then that's what you need to convert the SAML subject to. If you can derive any of that information directly from the SAML assertion, great. Otherwise you may need to do a quick AD or LDAP query to get the sAMAccountName of the user.