Forum Discussion

troyt_297959's avatar
troyt_297959
Icon for Nimbostratus rankNimbostratus
Feb 06, 2019

kerberos

We are trying to setup Kerberos SSO and getting the following errors (see logs below).

 

Currently we pull a username from a SAML Auth and that part works. We use a variable assign in the Access Profile to assign it to session.logon.last.username and that works fine. We also used a variable assign to assign session.ad.last.actualdomain = text DOMAIN.COM. We then created a Kerberos SSO Config per the screenshot. We have tried several variations such as putting in the IP of the KDC and specifying the SPN pattern. We can connect with the service account with both adtest and kinit:

 

adtest -t auth -r "DOMAIN.COM" -u srv-ssrs -w XXXXXXXXXXXXXXXXXXX Test done: total tests: 1, success=1, failure=0

 

[ttaylor@dc-f5-apmp02:Active:Changes Pending] log kinit HTTP/host.fqdn.com@DOMAIN.COM Password for HTTP/host.fqdn.com@DOMAIN.COM: [ttaylor@dc-f5-apmp02:Active:Changes Pending] log klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: HTTP/host.fqdn.com@DOMAIN.COM

 

Valid starting Expires Service principal 02/06/19 12:22:23 02/06/19 22:22:53 krbtgt/DOMAIN.COM@DOMAIN.COM renew until 02/07/19 12:22:23

 

 

My thought is that there is a problem with the AD/Kerberos setup side of things. Any ideas on what we could look for?

 

Any help is appreciated.

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: ssoMethod: kerberos usernameSource: session.sso.token.last.username userRealmSource: session.ad.last.actualdomain Realm: DOMAIN.COM KDC: AccountName: HTTP/srv-ssrs spnPatterh: HTTP/%s@DOMAIN.COM TicketLifetime: 600 UseClientcert: 0 SendAuthorization: 0

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: ctx: 0x8bc1618, CLIENT: TMEVT_REQUEST

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: ctx: 0x8bc1618, CLIENT: TMEVT_REQUEST_DONE

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: ctx: 0x8bc1618, CLIENT: TMEVT_SESSION_RESULT

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: ctx: 0x8bc1618, CLIENT: TMEVT_SESSION_RESULT

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: ctx: 0x8bc1618, CLIENT: TMEVT_SESSION_RESULT

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: ctx: 0x8bc1940, SERVER: TMEVT_REQUEST

 

Feb 6 11:55:39 dc-f5-apmp02 info websso.0[22715]: 014d0011:6: /Common/okta-ssrs-ap:Common:a0eacb61: Websso Kerberos authentication for user 'taytro' using config '/Common/ssrs-kerberos-sso'

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0046:7: /Common/okta-ssrs-ap:Common:a0eacb61: adding item to WorkQueue

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0018:7: /Common/okta-ssrs-ap:Common:a0eacb61: ctx:0x8bc1618 server address = ::ffff:172.17.32.84

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0021:7: /Common/okta-ssrs-ap:Common:a0eacb61: ctx:0x8bc1618 SPN = HTTP/per-edaprs01@DOMAIN.COM

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0023:7: S4U ======> /Common/okta-ssrs-ap:Common:a0eacb61: ctx: 0x8bc1618, user: taytro@DOMAIN.COM, SPN: HTTP/per-edaprs01@DOMAIN.COM

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: Getting UCC:taytro@DOMAIN.COM@DOMAIN.COM, lifetime:36000

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: Found UCC:taytro@DOMAIN.COM@DOMAIN.COM, lifetime:36000 left:31779

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: UCCmap.size = 2

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: taytro@DOMAIN.COM server: HTTP/per-edaprs01@DOMAIN.COM - trying to fetch

 

Feb 6 11:55:39 dc-f5-apmp02 debug websso.0[22715]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for user: taytro@DOMAIN.COM - trying to fetch

 

Feb 6 11:55:39 dc-f5-apmp02 err websso.0[22715]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user taytro@DOMAIN.COM - Matching credential not found (-1765328243)

 

Feb 6 11:55:39 dc-f5-apmp02 err websso.0[22715]: 014d0024:3: /Common/okta-ssrs-ap:Common:a0eacb61: Kerberos: Failed to get ticket for user taytro@DOMAIN.COM

 

Feb 6 11:55:39 dc-f5-apmp02 err websso.0[22715]: 014d0048:3: /Common/okta-ssrs-ap:Common:a0eacb61: failure occurred when processing the workitem

 

1 Reply

  • Hi Troyt,

     

    I have exactly the same problem. I have this error:

     

    Feb 10 11:16:24 F5 err websso.1[28958]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user user@DOMAIN.LOCAL - Matching credential not found (-1765328243)

     

    Do you know how to fix this issue?

     

    Thanks, best regards.