Kerberos Constrained Delegation (KCD) fails in Win2012R2

  • 7022060
  • 11-Oct-2017
  • 11-Oct-2017

Environment

Access Manager 4.3
Access Manager 4.2
Access Manager 4.4
Access Gateway on Windows 2012 R2

Situation

Access Manager 4.0.2 setup with Linux based Identity Server and Admin Console on Linux, and the Access Gateway  on Win2008R2 to avail of the KCD functionality needed for single sign on (SSO) to back end Web servers with kerberos token. Everything worked fine and users could SSO using identity injection to inject the kerberos token.

After upgrading the Access Manager environment to 4.2.1 on Win2012R2, users failed to authenticate to back end Web servers using Identity Injection.

The AG error_log includes the following information when the SSO failure happens - note the "A specified authentication package is unknown" error:

[Thu May 26 11:52:16 2016] [debug] policy.cpp(1405): kerberos II Parameters :jacarda:NETIQDOMAIN.GLOBAL:prpc.netiq.com
[Thu May 26 11:52:16 2016] [info] AM#504602303 AMDEVICEID#ag-6165262251268374: AMAUTHID#EB4C08BE525F672623E9DB20A5022081: AMEVENTID#10: Received II Eval - kerb ticket: jacar , time out -1
[Thu May 26 11:52:16 2016] [debug] AGFilterPolicy.cpp(27): AMEVENTID#10: CFilter AgFilterPolicy Initialized, referer: https://iamlogin.netiq.com/nidp/idff/sso?sid=0&sid=0
[Thu May 26 11:52:16 2016] [debug] AGRegexAutoFilter.cpp(31): AMEVENTID#10: CFilter AgRegexAuto Compare Initialized, referer: https://iamlogin.netiq.com/nidp/idff/sso?sid=0&sid=0
[Thu May 26 11:52:16 2016] [debug] AGRegexAutoFilter.cpp(42): AMEVENTID#10: CFilter AgRegexAuto No extension Matched the Uri, referer: https://iamlogin.netiq.com/nidp/idff/sso?sid=0&sid=0
[Thu May 26 11:52:16 2016] [debug] AGFilterPolicy.cpp(33): AMEVENTID#10: CFilter AgFilterPolicy match returned false, referer: https://iamlogin.netiq.com/nidp/idff/sso?sid=0&sid=0
[Thu May 26 11:52:16 2016] [debug] AGFilterPolicy.cpp(38): AMEVENTID#10: CFilter AgFilterPolicy no match found, referer: https://iamlogin.netiq.com/nidp/idff/sso?sid=0&sid=0
[Thu May 26 11:52:16 2016] [debug] mod_proxy_ajp.c(687): proxy: got response from 127.0.0.1:9009 (127.0.0.1)
[Thu May 26 11:52:16 2016] [debug] proxy_util.c(2066): proxy: AJP: has released connection for (127.0.0.1)
[Thu May 26 11:52:16 2016] [debug] KerbCredManager.cpp(122): AMEVENTID#10: cred handle doesn't exists for session id in cred manager: 010003000af00bcf7aaa3887a462dfadedab60d4..aquiring, referer:
https://iamlogin.netiq.com/nidp/idff/sso?sid=0&sid=0
[Thu May 26 11:52:16 2016] [error] A specified authentication package is unknown.\r\n
[Thu May 26 11:52:16 2016] [error] A specified authentication package is unknown.\r\n

[Thu May 26 11:52:16 2016] [error] AMEVENTID#10: get_credentials() has failed for session id: 010003000af00bcf7aaa3887a462dfadedab60d4, referer: https://iamlogin.netiq.com/nidp/idff/sso?sid=0&sid=0
[Thu May 26 11:52:16 2016] [info] AM#504602300 AMDEVICEID#ag-6165262251268374: AMAUTHID#EB4C08BE525F672623E9DB20A5022081: AMEVENTID#10: Injecting kerb auth header is failed..still sending the request to server? ..username:
jacarda, domainName:NETIQDOMAIN.GLOBAL

The Identity Injection finds the values alright: kerberos II Parameters :jacarda:NETIQDOMAIN.GLOBAL:prpc.netiq.com

The LAN traces with kerberos traffic (tcp/udp port 88) and catalina logs show that the AG does go out to the KDC and retrieve the TGS.

However, at the time the browser tries to connect to the back-end web-server that runs a CRM with Kerberos authentication, the following message is displayed in the AG-log:

"Injecting kerb auth header is failed"

Resolution

Will not fix. Changes were made to the KCD service in Win2k12 (https://blog.kloud.com.au/2013/07/11/kerberos-constrained-delegation/) that prevent us from retrieving the required ticket to inject.