I have kerberos for server-side (SSO) working just fine. My kerberos sso config looks like this: username source: session.sso.token.last.username username realm source: session.logon.last.domain kerberos realm: domain1.domain.COM I have two domains. Domain1.domain.com and domain2.domain.com. There is a 2 way trust between the AD servers in each domain. My service account is in domain1.domain.com. When users come in and have a username in domain1.domain.com it works just fine, but when they come in from domain2 it won't work. It tells me S4U ======> - NO cached S4U2Proxy ticket for user: USERNAME@DOMAIN2.DOMAIN.COM server: http/SITE.DOMAIN1.DOMAIN.COM@DOMAIN1.DOMAIN.com - trying to fetch S4U ======> - NO cached S4U2Self ticket for user: USERNAME@DOMAIN2.DOMAIN.COM - trying to fetch Kerberos: can't get S4U2Self ticket for user USERNAME@DOMAIN2.DOMAIN.COM - Realm not local to KDC I know that there is something simple I'm missing. I've read a bunch of questions/replies on this topic but am still a little lost. Any hints/nudges in the right direction would be appreciated. Thanks!

What's the format of the username? Is it in UPN format (bob@domain.com) or just simple name (bob)? If the former, does the submitted UPN match the userPrincipalName in the AD? And if so, is this using an alternate UPN suffix?

You should also be specifying the user's real domain in the session.logon.last.domain variable. APM Kerberos SSO won't chase Kerberos referrals so you have to tell it which domain the user belongs to. Try the short name (bob) and the real domain as SSO inputs. Also if the UPN you're trying is using a domain alias (ie. doesn't exactly match the real domain name), then you MUST use the sAMAccountName (short) name. Is this a FULL transitive trust, forest trust, or selective trust?

Okay, just to clarify, today it is a forest trust? Not selective or two-way non-transitive?

I am being told that it is a two way non-transitive trust with domain wide auth. I was afraid of that. The base requirement for APM Kerberos SSO is a forest or two-way transitive trust. A selective trust can also work, but requires more configuration in the domain. APM Kerberos SSO performs Kerberos Constrained Delegation and Kerberos Protocol Transition. The latter is what requires the trust.

Either a forest (two-way transitive) or (explicit) external two-way trust will work. A selective trust is defined within the parameters of an external two-way trust and will cause issues with Kerberos Protocol Transition. The following is a good article on that: http://stackoverflow.com/questions/2320857/wcf-sspi-failure-with-external-trust-selective-versus-domain-wide

Forum Discussion

dp_119903

Cirrostratus

Sep 15, 2015

Non local kerberos realm

I have kerberos for server-side (SSO) working just fine.

My kerberos sso config looks like this: username source: session.sso.token.last.username username realm source: session.logon.last.domain

kerberos realm: domain1.domain.COM

I have two domains. Domain1.domain.com and domain2.domain.com. There is a 2 way trust between the AD servers in each domain. My service account is in domain1.domain.com. When users come in and have a username in domain1.domain.com it works just fine, but when they come in from domain2 it won't work. It tells me

S4U ======> - NO cached S4U2Proxy ticket for user: USERNAME@DOMAIN2.DOMAIN.COM server: http/SITE.DOMAIN1.DOMAIN.COM@DOMAIN1.DOMAIN.com - trying to fetch S4U ======> - NO cached S4U2Self ticket for user: USERNAME@DOMAIN2.DOMAIN.COM - trying to fetch Kerberos: can't get S4U2Self ticket for user USERNAME@DOMAIN2.DOMAIN.COM - Realm not local to KDC

I know that there is something simple I'm missing. I've read a bunch of questions/replies on this topic but am still a little lost. Any hints/nudges in the right direction would be appreciated.

Thanks!

BIG-IP Access Policy Manager (APM)

security

11 Replies

Kevin_Stewart
Employee
Oct 01, 2015
So it seems to me, at least, that forest level trust may in fact be a requirement.

Selective trust does work, but as you've seen in the article requires some heavy lifting in the AD. The basic requirement is a forest trust or a full two-way transitive external trust.