"Kerberos: can't get S4U2Self ticket for user test.user@TEST.DOMAIN.COM - Server not found in Kerberos database (-1765328377)"

Question

I am having a problem - I think I have everything configured right - it gets the TGT ticket without a problem so I know the clock and all the other Kerberos settings are correct. Anyone seen anything similar? Is there a way to check the SPN other than setspn -L  - I did that and the SPN looks to be assigned to the server correctly. Below is the APM log on full debug with starting with the LDAP query being successful.
Begin log transcript.&nbsp;

Nov  2 09:50:51 7200B notice apd[8265]: 01490005:5: ec48bbf0: Following rule 'Query Passed' from item 'LDAP Query' to ending 'Allow'
Nov  2 09:50:51 7200B notice apd[8265]: 01490102:5: ec48bbf0: Access policy result: LTM+APM_Mode
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: constructor
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: webssoContext constructor ...
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: 16 headers received
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header [:method][GET] (len=3)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header [:uri][/] (len=1)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header [:version][HTTP/1.1] (len=8)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header [:custommeta][@Í´] (len=387)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header [Host][207.7.126.161] (len=13)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header [session-key][*] (len=32)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header *[Cookie][LastMRH_Session=ec48bbf0; F5_ST=1z1z1z1446486540z604800] (len=55)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header  [Referer][https://207.7.126.161/my.policy] (len=31)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header  [Cache-Control][no-cache] (len=8)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header  [Accept][text/html, application/xhtml+xml, /] (len=37)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header  [Accept-Language][en-US] (len=5)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header  [Accept-Encoding][gzip, deflate, peerdist] (len=23)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header  [Connection][Keep-Alive] (len=10)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header  [User-Agent][Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko] (len=68)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header  [X-P2P-PeerDist][Version=1.0] (len=11)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0044:7: ec48bbf0: metadata len 387
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: init webssoConfig from data: 0x9746cbc, len: 387
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: different sso config object received, name: /Common/TEST_Kerberos, method: 5
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: ssoMethod: kerberos usernameSource: session.logon.last.username userRealmSource: session.logon.last.domain Realm: TEST.DOMAIN.COM KDC:  AccountName: host/apmkerb.svc@TEST.DOMAIN.COM spnPatterh: HTTP/%s@TEST.DOMAIN.COM TicketLifetime: 600 UseClientcert: 0 SendAuthorization: 0
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: ctx: 0x9750e80, CLIENT: TMEVT_REQUEST
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: ctx: 0x9750e80, CLIENT: TMEVT_REQUEST_DONE
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: ctx: 0x9750e80, CLIENT: TMEVT_SESSION_RESULT
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: ctx: 0x9750e80, CLIENT: TMEVT_SESSION_RESULT
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: ctx: 0x9750e80, CLIENT: TMEVT_SESSION_RESULT
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: ctx: 0x9751368, SERVER: TMEVT_REQUEST
Nov  2 09:50:52 7200B info websso.3[17498]: 014d0011:6: ec48bbf0: Websso Kerberos authentication for user 'test.user' using config '/Common/TEST_Kerberos'
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0046:7: ec48bbf0: adding item to WorkQueue
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0018:7: sid:ec48bbf0 ctx:0x9750e80 server address = ::ffff:10.10.71.41
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0021:7: sid:ec48bbf0 ctx:0x9750e80 SPN = HTTP/webserver01v.test.domain.com@TEST.DOMAIN.COM
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0023:7: S4U ======&gt; ctx: ec48bbf0, sid: 0x9750e80, user: test.user@TEST.DOMAIN.COM, SPN: HTTP/webserver01v.test.domain.com@TEST.DOMAIN.COM
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: Getting UCC:test.user@TEST.DOMAIN.COM@TEST.DOMAIN.COM, lifetime:36000
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: fetched new TGT, total active TGTs:1
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: TGT: client=host/apmkerb.svc@TEST.DOMAIN.COM server=krbtgt/TEST.DOMAIN.COM@TEST.DOMAIN.COM expiration=Mon Nov  2 19:50:16 2015  flags=40e00000
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: TGT expires:1446522616 CC count:0
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: Initialized UCC:test.user@TEST.DOMAIN.COM@TEST.DOMAIN.COM, lifetime:36000 kcc:0x98536e0
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: UCCmap.size = 1, UCClist.size = 1
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: S4U ======&gt; - NO cached S4U2Proxy ticket for user: test.user@TEST.DOMAIN.COM server: HTTP/webserver01v.test.domain.com@TEST.DOMAIN.COM - trying to fetch
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: S4U ======&gt; - NO cached S4U2Self ticket for user: test.user@TEST.DOMAIN.COM - trying to fetch
Nov  2 09:50:52 7200B err websso.3[17498]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user test.user@TEST.DOMAIN.COM - Server not found in Kerberos database (-1765328377)
Nov  2 09:50:52 7200B err websso.3[17498]: 014d0024:3: ec48bbf0: Kerberos: Failed to get ticket for user test.user@TEST.DOMAIN.COM
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: ctx: 0x9751368, SERVER: TMEVT_NOTIFY
Nov  2 09:50:52 7200B err websso.3[17498]: 014d0048:3: ec48bbf0: failure occurred when processing the work item
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: ctx: 0x9751368, SERVER: TMEVT_RESPONSE
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: 8 headers received
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header *[:status][401 Unauthorized] (len=16)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header *[WWW-Authenticate][Negotiate] (len=9)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header *[WWW-Authenticate][NTLM] (len=4)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header  [Server][Microsoft-IIS/7.5] (len=17)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header  [Date][Mon, 02 Nov 2015 17:50:16 GMT] (len=29)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header  [Content-Length][1293] (len=4)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header  [Content-Type][text/html] (len=9)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: http header  [X-Powered-By][ASP.NET] (len=7)
Nov  2 09:50:52 7200B debug websso.3[17498]: 014d0001:7: Halted SSO retry for request&nbsp;

steve_janetzke_ · Answer

We were able to figure it out. We had to add the "host/apmkerb.svc" as an SPN for apmkerb.svc even though it got a TGT for host/apmkerb.svc@TEST.DOMAIN.COM when it tried to fetch the S4U ticket it first sent a TGS to the domain with that Sname. A packet capture on the DC revealed it and it is now fetching the S4U ticket correctly.

recontuersg_258 · Answer

Hello. I have met with this issue instead &nbsp;
Kerberos: can't get S4U2Self ticket for user davis@GTSL.COM - Matching credential not found &nbsp;
Any idea?&nbsp;
Thanks!&nbsp;

keesvandenbos · Answer

Does the user davis exists in your kerberos database?? (Kerberos needs the sAMAccountName.&nbsp;
Cheers,&nbsp;
Kees&nbsp;

recontuersg_258 · Answer

Thank you for responding, Kees. 
Is the Kerberos database same as Active Directory database? 
Is a keytab file required? The Kerberos-F5 guide I am reading did not mention about keytab file and I am using 12.1.1 version of LTM.
"davis" is part of Active Directory..&nbsp;

keesvandenbos · Answer

Hi,&nbsp;
If your using AD then the AD and kerberos database are the same.
Keytab file is not needed when doing SSO.&nbsp;
Is the password of your service account correct?&nbsp;
Cheers,&nbsp;
Kees&nbsp;

Forum Discussion

"Kerberos: can't get S4U2Self ticket for user test.user@TEST.DOMAIN.COM - Server not found in Kerberos database (-1765328377)"

5 Replies

Recent Discussions

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Related Content

502 (bad gateway) error with Kerberos SSO in "Clientless" mode when authenticating with WCF services

Kerberos "Max Logon Attempts" Meaning

APM "Remote Desktop Web Access" Kerberos SSO option

Certificate Expiry Email alert configuration

Securing Applications using mTLS Supported by F5 Distributed Cloud