Forum Discussion

FI_2016_187929's avatar
FI_2016_187929
Icon for Nimbostratus rankNimbostratus
Feb 14, 2017

SSO Using Kerberos Contrained Delegation for Multiple Domains

We are utilizing a SSO Kerberos Configuration to access a few of our applications in our domain (Domain1). Domain1 is a child domain and is configured as the Kerberos Realm in the SSO Kerberos configuration. The account name used in the configuration is also a member of Domain1. This is working for Domain1 clients with no issues. We want to give a different child domain (Domain2) access to these applications. Domain2 is in the same forest as Domain1 and has two way trust. The F5 can reach both domains and resolve in DNS. Clients from Domain2 are not able to get a Kerberos ticket. The following errors show in the APM log. Kerberos: Failed to get ticket for user test@Domain2.com and failure occurred when processing the work item

 

Is it even possible to have clients from another child domain get a ticket using an F5 in another domain? Also, is there any way to get more detailed logs on why Domain2 cannot get Keberos ticket. I have the log level set to debug set for Access Policy and SSO.

 

  • Hi,

    We use also APM with Kerberos Contrained Delegation for multiple domains with a transitiv trust. We just added 2 lines under [libdefaults] to the krb5.conf, DNS did the rest to get it working 🙂

     dns_lookup_realm = true
     dns_lookup_kdc = true
    
  • Just an update, I was able get multiple domains working. I needed to manually add the Domain2 realm to the krb5.conf file. I am not sure if that is the correct way to configure, but it did allow Domain2 client to get a Kerberos ticket and access to the Domain1 application.