Forum Discussion
SSO Using Kerberos Contrained Delegation for Multiple Domains
We are utilizing a SSO Kerberos Configuration to access a few of our applications in our domain (Domain1). Domain1 is a child domain and is configured as the Kerberos Realm in the SSO Kerberos configuration. The account name used in the configuration is also a member of Domain1. This is working for Domain1 clients with no issues. We want to give a different child domain (Domain2) access to these applications. Domain2 is in the same forest as Domain1 and has two way trust. The F5 can reach both domains and resolve in DNS. Clients from Domain2 are not able to get a Kerberos ticket. The following errors show in the APM log. Kerberos: Failed to get ticket for user test@Domain2.com and failure occurred when processing the work item
Is it even possible to have clients from another child domain get a ticket using an F5 in another domain? Also, is there any way to get more detailed logs on why Domain2 cannot get Keberos ticket. I have the log level set to debug set for Access Policy and SSO.
- FI_2016_187929Nimbostratus
Just an update, I was able get multiple domains working. I needed to manually add the Domain2 realm to the krb5.conf file. I am not sure if that is the correct way to configure, but it did allow Domain2 client to get a Kerberos ticket and access to the Domain1 application.
- Michael__Nimbostratus
Hi,
We use also APM with Kerberos Contrained Delegation for multiple domains with a transitiv trust. We just added 2 lines under [libdefaults] to the krb5.conf, DNS did the rest to get it working 🙂
dns_lookup_realm = true dns_lookup_kdc = true
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com