Forum Discussion

AngryCat_52750's avatar
AngryCat_52750
Icon for Nimbostratus rankNimbostratus
Sep 12, 2013

Kerberos - mutliple VS, multiple SSO, Same Domains errors

we have a web application in dev, qa and prerod.. we want to use Kerberos to auth the users to the web app.. each environment has its own group of web servers.. On the f5, we have different VS, kerberos AAA, kerberos SSO, access policies associated with each environment.. we got the Dev environment to work (client and server side)..

 

we used the same configs and created new stuff for the next environment.. tried it out and i can get to dev.domain.com but cant for preprod.domain.com.. waited an hour and then i could get to preprod.domain.com but not dev.domain.com.. i see the following errors in the APM logs (set to debug)..

 

Sep 11 22:29:32 F5-Server01 info websso.1[32091]: 014d0011:6: c62ea9c7: Websso ‎Kerberos authentication for user 'UserA' using config '/Common/sso-kerberos-preprod'‎ \ Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0046:7: c62ea9c7: adding ‎item to WorkQueue Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0018:7: ‎sid:c62ea9c7 ctx:0x91ea4a8 server address = ::ffff:10.20.50.40

 

Sep 11 22:29:32 ‎F5-Server01 debug websso.1[32091]: 014d0021:7: sid:c62ea9c7 ctx:0x91ea4a8 SPN = ‎HTTP/webserv01.DOMAIN.COM@DOMAIN.COM

 

Sep 11 22:29:32 F5-Server01 debug ‎websso.1[32091]: 014d0023:7: S4U ======> ctx: c62ea9c7, sid: 0x91ea4a8, user: ‎UserA@DOMAIN.COM, SPN: HTTP/webserv01.DOMAIN.COM@DOMAIN.COM

 

Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: Getting UCC:UserA@DOMAIN.COM@DOMAIN.COM, ‎lifetime:36000

 

Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: ‎Found UCC:UserA@DOMAIN.COM@DOMAIN.COM, lifetime:36000 left:28611

 

Sep 11 22:29:32 ‎F5-Server01 debug websso.1[32091]: 014d0001:7: UCCmap.size = 8, UCClist.size = 8 ‎

 

Sep 11 22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: S4U ======> - NO ‎cached S4U2Proxy ticket for user: UserA@DOMAIN.COM server: ‎HTTP/webserv01.DOMAIN.COM@DOMAIN.COM - trying to fetch

 

Sep 11 22:29:32 F5-Server01 ‎debug websso.1[32091]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for ‎user: UserA@DOMAIN.COM - trying to fetch

 

Sep 11 22:29:32 F5-Server01 err websso.1[32091]: 014d0005:3: Kerberos: can't get ‎S4U2Self ticket for user UserA@DOMAIN.COM - Matching credential not found (-‎‎1765328243) ‎

 

Sep 11 22:29:32 F5-Server01 err websso.1[32091]: 014d0024:3: c62ea9c7: Kerberos: ‎Failed to get ticket for user UserA@DOMAIN.COM

 

Sep 11 22:29:32 F5-Server01 err ‎websso.1[32091]: 014d0048:3: c62ea9c7: failure occurred when processing the ‎work item

 

Sep 11 22:29:32 F5-Server01 err websso.1[32091]: 014d0048:3: c62ea9c7: ‎failure occurred when processing the work item

 

Sep 11 22:29:32 F5-Server01 debug ‎websso.1[32091]: 014d0001:7: ctx: 0x93292f0, SERVER: TMEVT_NOTIFY

 

Sep 11 ‎‎22:29:32 F5-Server01 debug websso.1[32091]: 014d0001:7: ctx: 0x93292f0, SERVER: ‎TMEVT_RESPONSE

 

Any Ideas??

 

APM
design
kerberos
security

9 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 12, 2013

    tried it out and i can get to dev.domain.com but cant for preprod.domain.com.. waited an hour and then i could get to preprod.domain.com but not dev.domain.com

     

    Which BIG-IP version?

     

  • AngryCat_52750's avatar
    AngryCat_52750
    Icon for Nimbostratus rankNimbostratus
    Sep 13, 2013

    this morning, we move our PreProd environment temporarily to our LAB F5..

     

    By doing this, we were able to get both environments up at the same time..

     

    the issue seems to be that we can not have both environment setup on the same F5 appliance..

     

    if i have both setups on the same appliance, a user can only access on environment. and for them to get to the other environment, i have to restart the websso service..

     

    Kevin - what version of F5 are you running?? we are wondering if this is a bug in 11.3 HF6 and maybe we need to roll back down to a working version or up to 11.4...

     

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Sep 13, 2013
      I vaguely recall this same issue popping up in 11.3 HF3 for someone else, and I know it worked in 11.2.1. I'll test in 11.4 and let you know.
  • AngryCat_52750's avatar
    AngryCat_52750
    Icon for Nimbostratus rankNimbostratus
    Sep 16, 2013

    Tried on 11.4 and that didnt allow me to connect to two environments at the same time from the same appliance.. Will downgrade lab to 11.2.1 this morning..

     

  • Antoine_80417's avatar
    Antoine_80417
    Icon for Nimbostratus rankNimbostratus
    Oct 24, 2013

    Hi,

     

    I don't know if you still have the issue but I ran into it today too.

     

    From what I figured out, the problem is caused by the Kerberos cache. When you have a Kerberos ticket in the cache for a user that was delegated by the account for domain A, and that you want to access an application that use the SSO configuration for domain B, the ticket generation will fail because the AD will not be able to decrypt the ticket issued earlier. Don't know if it's clear enough... I will open a case to the F5 support because from what I understand the Kerberos cache is shared and it should not be.

     

    Antoine

     

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Oct 24, 2013
      Thanks for the insight Antoine. There's already a case open for this (probably a few), but please do open another. This will help elevate the cause.
  • Antoine_80417's avatar
    Antoine_80417
    Icon for Nimbostratus rankNimbostratus
    Jan 28, 2014

    Hi folks,

     

    After a while, some news on this problem : the MIT Kerberos library that is used by F5 does not allow more than one delegation account per realm, with causes the issue.

     

    I asked for a RFE to be opened to correct that and it was accepted by the Engineering team. Here is the ID so you can ask your Sales Rep to subscribe you to this ID, this will help the RFE to be moved up the pile : BZ445501.

     

    Antoine