Forum Discussion

eric_haupt1's avatar
eric_haupt1
Icon for Nimbostratus rankNimbostratus
Oct 04, 2018

APM KCD SSO - Requesting ticket can't get forwardable tickets (-1765328163) but works eventually

I'm running into this well known KCD SSO error. I have APM performing the necessary SSO variable definitions using LDAP queries which map certificate IDs (Domain userPrincipalName) to sAMAccountNames and then using the sAMAccountName within the KCD WebSSO profile within the access policy. The service account I am using of course has "use any auth protocol" and the appropriate HTTP/fqdn SPN hard coded to rule out reverse lookup issues for dynamic SPN creation by APM. What I am seeing is:

 

  1. Upon first login with APM SSO, my service account SPN gets a TGT and then fails to get the HTTP/service ticket with the error "Requesting ticket can't get forwardable tickets (-1765328163)"

     

  2. I kill the APM session and restart - Now when I log in, I pull the ticket for the user, but IIS throws up a few 401's with a login prompt for a three or so URIs. I "cancel" on each and then pass through to the web resource (200 OKs)

     

  3. I kill the APM session and re-login - Now I see APM debug grabbing the cached ticket and I seamlessly pass through to the desired web resource.

     

So basically it works... I just need to run through APM three times for everything to work seamlessly. The first time I cannot get a service ticket, the next time IIS doesn't accept the ticket I present, the last time everything is 200 OK and there are no issues.

 

Any ideas?

 

23 Replies