Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
Feb 17, 2016

APM, Kerberos and SSO

Hi,

I was trying to setup SSO using APM Cookbook: Single Sign On (SSO) using Kerberos article. I am using VE with 12.0.0HF1. I have https vs with one member pool pointing to IIS server (IIS is runing on the same computer as AD).

My VS has IP 10.128.10.6, it resolves to interent.f5demo.com (via DNS on AD), there is as well PTR record defined

My AD (and KDC) has IP 10.128.10.2, it resolves to ad.f5demo.com, there is as well PTR record defined. On F5 both dig elvis162.f5demo.com and dig -x 10.128.10.2 is resolving correctly (DNS set on F5 is the one running on AD - 10.128.10.2) - here I am getting two names elvis162.f5demo.com and hostmaster.f5demo.com

Target pool member in my IIS pool is 10.128.10.2 (IIS on AD computer)

Delegation account on AD is set with user logon name host/apm-kcd.f5demo.com and pre-Windows 2000 apm-kcd

Delegation is set as on screen below:

Everything works OK except after auhenticating via APM Logon page I am getting Windows logon popup. Even if credentials entered there are the same that are working when directly connecting to IIS (on AD computer using elvis162.f5demo.com host) I can't authenticate. Of course main issue is that this second logon should not show up - at least that is my understanding.

In APM log (logging set to debug) only error is:

Feb 17 12:30:11 bigip11 err websso.1[2037]: 014d0019:3: /Common/intranet.f5demo.com_sso_ap:Common:9ba7de8f: Kerberos: Failed to resolve IP address: ::ffff:10.128.10.2
Feb 17 12:30:11 bigip11 err websso.1[2037]: 014d0048:3: /Common/intranet.f5demo.com_sso_ap:Common:9ba7de8f: failure occurred when processing the work item

So what I am doing wrong here?

Piotr

APM
kerberos delegation
security
SSO

7 Replies

Sort By
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Feb 17, 2016
    OK, I was wrong about correct PTR for elvis162.f5demo.com (AD). After fixing everything is working! I just wonder why even when (via System ›› Logs : Configuration : Options) Access Policy Logging is set to Debug I have the same entries in /var/log/apm as when it was send to default Notice. I expected kind of logging presented in mentioned article - so much more detailed. Piotr
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 17, 2016

    That log entry is likely an anomaly. It's trying to resolve the IPv6 address, but you've clearly resolved the v4 address since it's working.

     

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Feb 17, 2016
    websso is a separate log setting. There are sort of two SSOs in APM: ssov1 and v2. v1 is used in Forms (server-initiated), HTTP (basic, ntlmv1,ntlmv2). ssov2 is used in saml, kerberos, and Forms (client-initiated). In v12, APM switched to a completely different log mechanism for the *main* logs but not the SSO logs. It's kind of confusing, but documented in the APM Operations Guide v12 (make sure you check the newest version of it) and other places. Logs are set in the SSO object itself for some types, and in System => Logs => Options for other types. In later versions (12.1+), the SSO logs will be completely controlled in the SSO object itself for all types.
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Feb 17, 2016
    Hi, Thanks for info. I checked mentioned guide (latest covering v12) but can't find any more info on enabling more verbose logging for Kerberos SSO. Only other article I found is SOL11124: Configuring the BIG-IP APM system to log session variables. What do you mean by "Logs are set in the SSO object itself"? Could you give some example? Is setting in Access Policy>Even Logs>Log Settings>given logging profile>Access System Logs option different than setting in System => Logs => Options? So to get more verbose log for SSO I should change SSO option (right pane) from default Notice to Debug (for default-log-setting profile used by my access profile)? Piotr
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Feb 17, 2016
    OK, I found part about logging changes in v12 - thanks for pointing out. Piotr
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Feb 17, 2016
    I wonder why my logs (after setting Debug for SSO) do not contain similar entries as listed in article https://devcentral.f5.com/s/articles/apm-cookbook-single-sign-on-sso-using-kerberos. I am talking especially about all entries with TGT. Just nothing like that in my log. Does that mean that SSO is not working? Or I have to set Debug for some other services in APM log profile (right now Debug is only for SSO)? Piotr