Problems with Kerberos and delegation account

Hi Kevin & Matthieu

Ok this means that we should be able to use this for certificate based authentication against a webservice for an arbitrary domain name. Now I just need tog et the pieces put correct togheter.

I tried to follow the guide here http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-guide-11-3-0/4.html

but somewhere I mush have missed something - or misunderstood so I think I sratch my config and startover once more.

btw - which type of user-name should I use in the SSO profile ? - SamAccountname or what attribute should I use ? I do a LDAP lookup before I pass the name to the Kerberos SSO profile so I can use a arbitrary attribute from there.

Is there somewhere a sample I could take a look at? It cannot be that hard to reproduce the steps needed to get this working.

best regards /ti

I'll refer you to this thread for some more SSO configuration info:

https://devcentral.f5.com/questions/kerberos-and-ntlm-authentication-using-apm

btw - which type of user-name should I use in the SSO profile ? - SamAccountname or what attribute should I use ?

As described above, you can use the account's pre-Windows 2000 NETBIOS name, or a service principal name. If you're not doing any sort of cross-domain stuff, it might be easier to just use the NETBIOS name.

I do a LDAP lookup before I pass the name to the Kerberos SSO profile so I can use a arbitrary attribute from there.

You'll notice in the Kerberos SSO profile the username and realm source fields. The only thing you need to do from a user perspective is make sure these corresponding session variables are populated BEFORE the end of the access policy evaluation with a valid domain username and the domain realm respectively. If you don't populate the realm variable, it'll pull it from the SSO config (another cross-domain flexibility).

Hi again Ok - just to clarify - I get the username from the subject of the certificate and then I do a LDAP lookup - I has as username-source user the "session.ldap.last.attr.samAccountName" variable and the user realm source keept the default. Should I do a variable assignment before and keep the defaults instead in the SSO?

When I switch to advanced settings in this window I get the possibility to defined headers and names also - are they used for different site names or what?

best regards /ti

I has as username-source user the "session.ldap.last.attr.samAccountName" variable and the user realm source keept the default

I usually leave the field as is and do a variable assignment, but your way is also reasonable.

When I switch to advanced settings in this window I get the possibility to defined headers and names also - are they used for different site names or what?

This is just there to add optional headers to the request. I've never had to use this.

Hi out there I still have a problem with the Kerberes SSO.

I am getting a ticket so I think most of my setup Works but I have missed something - please try to take a look here - all of you which has got this Kerbeors SSO working - haven't you also seen this error: Dec 20 13:17:17 bigip1 debug websso.0[7697]: 014d0001:7: ctx: 0x9b76e18, SERVER: TMEVT_REQUEST

Dec 20 13:17:17 bigip1 info websso.0[7697]: 014d0011:6: 89605cf9: Websso Kerberos authentication for user 'ti' using config '/Common/ADPKerbSSO'

Dec 20 13:17:17 bigip1 debug websso.0[7697]: 014d0018:7: sid:89605cf9 ctx:0x9b33498 server address = ::ffff:192.168.12.20

Dec 20 13:17:17 bigip1 debug websso.0[7697]: 014d0046:7: 89605cf9: adding item to WorkQueue

Dec 20 13:17:17 bigip1 debug websso.0[7697]: 014d0021:7: sid:89605cf9 ctx:0x9b33498 SPN = HTTP/win2k8web1.testdom.dk@TESTDOM.DK

Dec 20 13:17:17 bigip1 info websso.0[7697]: 014d0022:6: 89605cf9: Kerberos: realm for user ti is not set, using server's realm TESTDOM.DK

Dec 20 13:17:17 bigip1 debug websso.0[7697]: 014d0023:7: S4U ======> ctx: 89605cf9, sid: 0x9b33498, user: ti@TESTDOM.DK, SPN: HTTP/win2k8web1.testdom.dk@TESTDOM.DK

Dec 20 13:17:17 bigip1 debug websso.0[7697]: 014d0001:7: Getting UCC:ti@TESTDOM.DK@TESTDOM.DK, lifetime:36000

Dec 20 13:17:17 bigip1 debug websso.0[7697]: 014d0001:7: Found UCC:ti@TESTDOM.DK@TESTDOM.DK, lifetime:36000 left:35540

Dec 20 13:17:17 bigip1 debug websso.0[7697]: 014d0001:7: UCCmap.size = 1, UCClist.size = 1

Dec 20 13:17:17 bigip1 debug websso.0[7697]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: ti@TESTDOM.DK server: HTTP/win2k8web1.testdom.dk@TESTDOM.DK - trying to fetch

Dec 20 13:17:17 bigip1 debug websso.0[7697]: 014d0001:7: S4U ======> trying to fetch S4U2Proxy ticket for user: ti@TESTDOM.DK server: HTTP/win2k8web1.testdom.dk@TESTDOM.DK

Dec 20 13:17:17 bigip1 err websso.0[7697]: 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/win2k8web1.testdom.dk@TESTDOM.DK - Requesting ticket can't get forwardable tickets (-1765328163)

Dec 20 13:17:17 bigip1 err websso.0[7697]: 014d0024:3: 89605cf9: Kerberos: Failed to get ticket for user ti@TESTDOM.DK

Dec 20 13:17:17 bigip1 err websso.0[7697]: 014d0048:3: 89605cf9: failure occurred when processing the work item

Dec 20 13:17:17 bigip1 debug websso.0[7697]: 014d0001:7: ctx: 0x9b76e18, SERVER: TMEVT_NOTIFY

Dec 20 13:17:17 bigip1 debug websso.0[7697]: 014d0001:7: ctx: 0x9b76e18, SERVER: TMEVT_RESPONSE

if this S4U2Proxy functionality doesn't Work - what have I forgotten - probably something on the webserver but what? best regards /thomas iwang

S4U2Proxy is generally related to Constrained Delegation, so to confirm:

1. Do you have the SSO account (host/apm.testdom.dk) configured to delegate to the web server (HTTP/win2k8web1.testdom.dk)?

    

2. Do you have delegation set to "Use any authentication protocol"?

    

hi Kevin

I have to aswer "I think so" because that is what I tried to do - but - there can have been errors/misunderstandings. Do you know about a way to test it from the windows platform to verify?

best regards (& happy christmas)

thomas iwang

Thomas, the two things that I usually do first when I run into trouble with Kerberos SSO are:

1. Attempt to access this Kerberos resource from another machine in the domain. This will tell you definitely whether or not the app is correctly configured for Kerberos. If it doesn't work here, it isn't going to work in APM.

    

2. Install Wireshark on your domain controller and watch the Kerberos traffic from there. This is where you'll get the best vantage point. You can also technically run tcpdump on the LTM and export a capture file to Wireshark. This tool will let you see inside the Kerberos payload, and most importantly, where the errors are.

    

If you can perform these 2 steps and report back what you find, that may help to better understand the problem.

hi kevin thanks for your notes (been on vacation so a bit delayed reply) - currently I am running a testlab on my labtop where I through gns3 and virtualbox is running the f5 11.3 ve togheter with a windows domain - a dc and a webserver - so it is pretty easy for me to capture what is happening. what I can see is that when I access it in the domain - from a domain pc or not - just authenticate as a domain user - the webserver authenticates with some "kerberos" stuff - not that familar with kerberos yet but looks correctly what it does there. When I try to access the webserver from a pc through the F5 I get some mess with the SPN - the webserver will normally use a a SPN as HTTP.. I'll try to scratch the config once more on the F5 and re-create it - now have I been away from it since before chrsitmas so I'll try to refresh what is happening. The SPN is created domain-wide or? I do not have to logon to the webserver and define the SPN there through adsiedit - this is a domain-wide user-delegations - or have I misunderstood something here? best regards - and a happy new year /ti

Hi Again

I build myself a new vs (and using a guide from Juniper Networks - http://www.juniper.net/techpubs/software/ive/guides/howtos/SSLConstrainedDelegation.pdf ) and then "it Works". I added here a username with a more ordinary syntax - f5cduser instead of that a bit strange looking ID of f.ex host/apm.testdom.dk - can you tell me what I will be missing by creating the user in this format instead of this SPN looking syntax?

best regards /ti