APM, Kerberos and SSO
Hi, I was trying to setup SSO using APM Cookbook: Single Sign On (SSO) using Kerberos article. I am using VE with 12.0.0HF1. I have https vs with one member pool pointing to IIS server (IIS is runing on the same computer as AD). My VS has IP 10.128.10.6, it resolves to interent.f5demo.com (via DNS on AD), there is as well PTR record defined My AD (and KDC) has IP 10.128.10.2, it resolves to ad.f5demo.com, there is as well PTR record defined. On F5 both dig elvis162.f5demo.com and dig -x 10.128.10.2 is resolving correctly (DNS set on F5 is the one running on AD - 10.128.10.2) - here I am getting two names elvis162.f5demo.com and hostmaster.f5demo.com Target pool member in my IIS pool is 10.128.10.2 (IIS on AD computer) Delegation account on AD is set with user logon name host/apm-kcd.f5demo.com and pre-Windows 2000 apm-kcd Delegation is set as on screen below: Everything works OK except after auhenticating via APM Logon page I am getting Windows logon popup. Even if credentials entered there are the same that are working when directly connecting to IIS (on AD computer using elvis162.f5demo.com host) I can't authenticate. Of course main issue is that this second logon should not show up - at least that is my understanding. In APM log (logging set to debug) only error is: Feb 17 12:30:11 bigip11 err websso.1[2037]: 014d0019:3: /Common/intranet.f5demo.com_sso_ap:Common:9ba7de8f: Kerberos: Failed to resolve IP address: ::ffff:10.128.10.2 Feb 17 12:30:11 bigip11 err websso.1[2037]: 014d0048:3: /Common/intranet.f5demo.com_sso_ap:Common:9ba7de8f: failure occurred when processing the work item So what I am doing wrong here? Piotr
Kerberos SSO for APM - Exchange 2016
Hello, i'm trying to configure Kerberos SSO for Outlook anywhere(Exchange 2016) but I keep getting these errors. debug websso.3[4647]: 014d0021:7: /Common/NTLM-EX2016:Common:8d962818: ctx:0x8e61f40 SPN = HTTP/mail.domain1.fr@subdomain.domaine2.FR info websso.3[4647]: 014d0022:6: /Common/NTLM-EX2016:Common:8d962818: Kerberos: realm for user USERX is not set, using server's realm subdomain.domaine2.FR debug websso.3[4647]: 014d0023:7: S4U ======> /Common/NTLM-EX2016:Common:8d962818: ctx: 0x8e61f40, user: USERX@subdomain.domaine2.FR, SPN: HTTP/mail.domain1.fr@subdomain.domain2.FR err websso.3[4647]: 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/mail.domain1.fr@subdomain.domain2.FR - Requesting ticket can't get forwardable tickets (-1765328163) Delegation account: host/d5delegation @subdomain.domain2.fr Kerberos SSO Auth: SPN is HTTP/mail.domain1.fr (the public hostname where clients came) And Also on Delegation > I choose trust this user for delegation to specified services only > USe any authentification protocol > and i choose the SPN AD servers are on pre-production, on subdomain.domain2.fr. This command (nslookup -type=SRV _kerberos._tcp.dc._msdcs.subdomain.domain2.fr) doesnt found KDC because the f5 dns is only resolving on domain1.fr. BUT since F5 is resolving the domain controllers of the preprod zone (the dc server I specified in kerberos sso auth), is it ok ? This doesnt work too: kinit -f HTTP/mail.domain1.fr@subdomain.domain2.FR kinit: Cannot resolve servers for KDC in realm ....... Thanks for help
APM SSO -Kerberos Decrypt integrity check failed
Hi, I have been facing an issue with APM SSO "Kerberos Decrypt integrity check failed" Here are Log details: S4U ======> - fetched S4U2Self ticket for user: xpto@DOMAIN.COM Kerberos: can't decrypt S4U2Self ticket for user xpto@DOMAIN.COM - Decrypt integrity check failed (-1765328353) For this reason the SSO is failing.Any help would be very much appreciated.
SSL VPN Kerberos delegation in sharepoint environment With multiple embedded internal resources.
I am new to F5 and I have recently downloaded a trial appliance. I come to you guys to see if APM will work in our environment before I dive in and start configuring. We have an internal sharepoint site that we would like to be able to access outside of our network. The ideal situation is to have a SSL VPN to the site that delegates kerberos tickets to all internal servers that need authentication. Our topography is a sharepoint site that has internal server resources embedded via webparts or page viewers that all require kerberos authentication. Is it possible for APM to identify and delegate kerberos tickets to any servers that request a kerberos ticket? I read in the documentation that kerberos delegation only works for IIS servers, is this true?Kerberos delegation on 11.5.3
Hello gurus Is there a way to configure Kerberos delegation on BigIp 11.5.3? The doc referenced at https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-5-1/42.html and applicable to 11.5.3. refers to configuration screens that we cannot find on 11.5.3 LTM. By Kerberos delegation I mean end-to-end kerberos authentication from the end-user browser down to the application server through the BigIp. NOT Kerberos termination at BigIP and then between BigIp and the application server, there is another authentication mechanism. In the sequence diagram below, Service 1 would be BigIp LTM and service 2 would be the application server selected from the pool (either a common SPN or a SPN by server). Thx for any valuable input.Kerberos Delegation and NTLM auth Exchange 2013
This is related to a previous post about the Exchange iApp. Everything is working for both internal and internal connections except from Outlook Anywhere clients attempting to connect to the external VS and auth via RPC over HTTP. I enabled all debug logs for APM and ECA since that seemed to be where the failure was occuring. I noticed the following and cannot make much sense of it. Any help would be appreciated. Below is the log file comparison between a successful auth though the internal iApp vs the failed auth through the external iApp. This is just a snippet of the full log. Everything before these lines in the log is the same for both internal and external connections. It seems to fail when the BigIP tries to make a call to itself to process the logon request, anyone ever see this before? Internal success: Aug 12 13:22:12 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 10.1.12.9:46380 (0x09a8b9c8) Server challenge: 24296533D8C59FB4 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[18] from 127.0.0.1:43935 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> client[5]: is ready Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> NLAD_TRACE: nlclnt[53403010a / 01] sending logon = 0xC00000E5 Aug 12 13:22:12 JHHCF5 debug nlad[8603]: 01620000:7: <0x5624cb90> nlclnt[53403010a] logon: entering user GRicketts domain JHHC wksta JHHC04619LT Failed auth: Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> clntsvc: processing 'logon' request on connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 warning nlad[8603]: 01620000:4: <0x559058f0> clntsvc: no client for id 6 to service request from connection[38] from 127.0.0.1:44495 Aug 12 12:51:10 JHHCF5 debug nlad[8603]: 01620000:7: <0x559058f0> nla_rq: response with status [0xc00000ab,NT_STATUS_INSTANCE_NOT_AVAILABLE] for type 'logon' client 6 context 0x5ab82b90 24 bytes to connection[38] from 127.0.0.1:44495: took 0 milli-seconds Aug 12 12:51:10 JHHCF5 debug eca[7237]: 0162000c:7: [Common] 12.181.141.210:45214 (0x5bf14c28) nla_agent::logon, rc = STATUS_NO_LOGON_SERVERS (3221225566)
