Forum Discussion
Jason_Wilson_13
Nimbostratus
NimbostratusProblems with using Kerberos Authentication
Hi Everyone, Trying to get Kerberos Authentication to work through a APM policy. I am not trying to get SSO to work (well, not yet anyway) - just trying to get Kerberos authentication from a ...
Angel_Martinez_Nimbostratus
NimbostratusHi
This is a very interesting Post... I'm having the same issue, so I checked all the steps that Kevin says but my BigIP is steel reporting the same errors:
Apr 16 20:11:09 bigrode2 debug apd[9383]: 01490000:7: modules/Authentication/Kerberos/KerberosAuthModule.cpp func: "display_status_1()" line: 84 Msg: a1f91c6a : GSS-API error gss_acquire_cred: d0000 : Unspecified GSS failure. Minor code may provide more information
Apr 16 20:11:09 bigrode2 debug apd[9383]: 01490000:7: modules/Authentication/Kerberos/KerberosAuthModule.cpp func: "display_status_1()" line: 84 Msg: a1f91c6a : GSS-API error gss_acquire_cred: 186a4 :
My problem is that item 'Kerberos Auth' does not open any connection to the KDC... I don't see any traffic to it with tcpdump -ni 0.0 host my_kdc
At the document for Kerberos Authentication (http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-4-0.pdf?sr=36691337) there is no refence to /etc/krb5.conf, by the way the LTM/APM is running at 11.4.1 HF3. But I wrote the KDC and the Admin_Server in the krb5.conf, it was necesary for the kinit test...
- DNS register A and PTR is done and also added at /etc/hosts via tmsh.
- Keytab file, the KVNO is the same in the KDC and y the filestore.
- Keytab file, tested in apache, bypassing APM, just only doing LTM, so the keytab file seem to be right.
- Kinit with a Domain User works fine. When I do this test I see traffic to the KDC with wireshark, so there is comunication between BigIp and KDC...
Any idea?
Thanks in advanced...