Kerberos - mutliple VS, multiple SSO, Same Domains errors
we have a web application in dev, qa and prerod.. we want to use Kerberos to auth the users to the web app.. each environment has its own group of web servers.. On the f5, we have different VS, kerberos AAA, kerberos SSO, access policies associated with each environment.. we got the Dev environment to work (client and server side)..
we used the same configs and created new stuff for the next environment.. tried it out and i can get to dev.domain.com but cant for preprod.domain.com.. waited an hour and then i could get to preprod.domain.com but not dev.domain.com.. i see the following errors in the APM logs (set to debug)..
Sep 11 22:29:32 F5-Server01 info websso.1[32091]: 014d0011:6: c62ea9c7: Websso Kerberos authentication for user 'UserA' using config '/Common/sso-kerberos-preprod' \ Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0046:7: c62ea9c7: adding item to WorkQueue Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0018:7: sid:c62ea9c7 ctx:0x91ea4a8 server address = ::ffff:10.20.50.40
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0021:7: sid:c62ea9c7 ctx:0x91ea4a8 SPN = HTTP/webserv01.DOMAIN.COM@DOMAIN.COM
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0023:7: S4U ======> ctx: c62ea9c7, sid: 0x91ea4a8, user: UserA@DOMAIN.COM, SPN: HTTP/webserv01.DOMAIN.COM@DOMAIN.COM
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: Getting UCC:UserA@DOMAIN.COM@DOMAIN.COM, lifetime:36000
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: Found UCC:UserA@DOMAIN.COM@DOMAIN.COM, lifetime:36000 left:28611
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: UCCmap.size = 8, UCClist.size = 8
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: UserA@DOMAIN.COM server: HTTP/webserv01.DOMAIN.COM@DOMAIN.COM - trying to fetch
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for user: UserA@DOMAIN.COM - trying to fetch
Sep 11 22:29:32 F5-Server01 err websso.1[32091]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user UserA@DOMAIN.COM - Matching credential not found (-1765328243)
Sep 11 22:29:32 F5-Server01 err websso.1[32091]: 014d0024:3: c62ea9c7: Kerberos: Failed to get ticket for user UserA@DOMAIN.COM
Sep 11 22:29:32 F5-Server01 err websso.1[32091]: 014d0048:3: c62ea9c7: failure occurred when processing the work item
Sep 11 22:29:32 F5-Server01 err websso.1[32091]: 014d0048:3: c62ea9c7: failure occurred when processing the work item
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: ctx: 0x93292f0, SERVER: TMEVT_NOTIFY
Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: ctx: 0x93292f0, SERVER: TMEVT_RESPONSE
Any Ideas??