Forum Discussion

Steve_Lyons's avatar
Steve_Lyons
Ret. Employee
Mar 01, 2019

Multiple Login Attempts Required for Kerberos Constrained Delegation (KCD)

Has anyone run into an issue in which it took 2 or more authentication attempts to finally successfully log into an application using KCD? Below is an example of the use case I am referencing where it takes 3 authentication attempts before a successful login.

 

Attempt 1: Failed to get a forwardable ticket and SSO halts

 

Manually Delete Session in APM

 

Attempt 2: Failed to get forwardable ticket though has a cached ticket

 

Manually Delete Session in APM

 

Attempt 3: Has cached ticket and SSO works as expected.

 

Manually Delete Session and bigstart restart websso to reproduce from attempt 1

 

6 Replies

  • Attempt 1 from APM Logs

     

    [:uri][/mysite/Home/Login?id=100

     

    Fetched new TGT, total active TGTs:1

     

    S4U ======> - fetched S4U2Self ticket for user: user

     

    S4U ======> trying to fetch S4U2Proxy ticket for user: user

     

    Requesting ticket can't get forwardable tickets (-1765328163)

     

    Halted SSO retry for request

     

    Session deleted due to admin initiated termination.

     

    Attempt 2 from APM Logs

     

    [:uri][/mysite/Home/Login?id=100

     

    S4U ======> - we have cached S4U2Proxy ticket for user:

     

    S4U ======> OK!

     

    [:uri][/mysite/Home/...

     

    S4U ======> - we have cached S4U2Proxy ticket for user:

     

    S4U ======> OK!

     

    [:uri][/mysite/jquery

     

    S4U ======> - we have cached S4U2Proxy ticket for user:

     

    S4U ======> OK!

     

    S4U ======> - NO cached S4U2Proxy ticket for user:

     

    Requesting ticket can't get forwardable tickets (-1765328163)

     

    S4U ======> - we have cached S4U2Proxy ticket for user:

     

    failure occurred when processing the work item

     

    S4U ======> OK!

     

    Session deleted due to admin initiated termination.

     

    Attempt 3 from APM Logs

     

    [:uri][/mysite/Home/Login?id=100]

     

    S4U ======> - we have cached S4U2Proxy ticket for user:

     

    S4U ======> OK!

     

    [:uri][/mysite/Home/...

     

    S4U ======> - we have cached S4U2Proxy ticket for user:

     

    S4U ======> OK!

     

    [:uri][/mysite/jquery

     

    S4U ======> - we have cached S4U2Proxy ticket for user:

     

    S4U ======> OK!

     

  • Is it a multi domain or single domain forest?

     

    Did you configure kdc or did you let the field blank?

     

    If you let it blank, is the bigip allowed to contact all kdc servers?

     

  • Single domain forest with KDC defined. A tcpdump was taken from the BIG-IP and a Wireshark capture from the KDC.

     

    KRB5KDC_ERR_PREAUTH_REQUIRED KRB5KRB_ERR_RESPONSE_TOO_BIG AS-REQ AS-REP TGS-REQ TGS-REP pa-data pa-s4u-X509-user padata-type:kRB5-PADATA-FOR-X509-USER (130)

     

    The padata is the one thing that does not seem to always be consistent but I have no idea if that is an issue or not. My expectation would be that each TGS-REP from the KDC would be identical as it is for the same exact user/principal/service. I see some responses with padata and others without.

     

  • I am going to take a capture of a successful authentication and look to see if the TGS-REP differs for s4u2user and s4u2proxy. Could be what I am seeing.