How to Troubleshoot ESP SAML Authentication issues using the SSOMGR Debug traces
Scope
This article highlights the steps required for a successful Edge Security Pack (ESP) Security Assertion Markup Language (SAML) connection and how to troubleshoot the connection.
This process involves:
- The LoadMaster builds SAML Request and redirects Client to the IdP server.
- The LoadMaster receives a SAML Response and verifies SAML Assertion/Token.
- The LoadMaster requests a Kerberos ticket on behalf of the user from Kerberos Server/Active Directory.
Note: This article doesn't explain how to configure SAML with Kerberos. For configuration guidance, please see the following Documents:
To collect the logging data, enable the verbose ESP logging by navigating to:
Logging Options > System Log Files > Debug Options > SSOMGR Debug Traces.
To view the log data, navigate to:
Logging Options > System Log Files > System Message File.
For firmware older than 7.2.41, navigate to:
Logging Options > Extended Log Files > SSO MGR Audit Logs > SSO MGR > View.
1.Generating SAML Request ID Issue Instant
In the example below, a client has requested the URL: sharepoint.kemptest.com. The LoadMaster generates a unique Assertion ID and IssueInstant, which is a property of SAML that gets or sets the date and time when the SAML assertion is issued.
Feb 8 11:45:15 KEMP_1 ssomgr: url https://sharepoint.kemptest.com/ 32
Feb 8 11:45:15 KEMP_1 ssomgr: #2393# >>>generate_ID: Generate ID for SAML AuthnReq
Feb 8 11:45:15 KEMP_1 ssomgr: #2393# generate_random_sequence: sequence [a456f1c7-9fe8-4566-8952-f04f5d2b7285]
Feb 8 11:45:15 KEMP_1 ssomgr: #2393# <<<generate_ID: ID string generated [_a456f1c7-9fe8-4566-8952-f04f5d2b7285]
Feb 8 11:45:15 KEMP_1 ssomgr: #2393# >>>build_saml_auth_req: Start processing to build AuthnReq for SAML
Feb 8 11:45:15 KEMP_1 ssomgr: #2393# >>>generate_IssueInstant: Generate IssueInstant for SAML Req
Feb 8 11:45:15 KEMP_1 ssomgr: #2393# <<<generate_IssueInstant: IssueInstant generated [2018-02-08T11:45:15Z]
2. Building SAML Authentication Request
A SAML authentication request is generated, encoded, and returned to the client where they are redirected to their SAML identity provider (IDP). In this scenario, the SAML IDP is adfs.kemptest.com.
Feb 8 11:45:15 KEMP_1 ssomgr: #2393# build_saml_auth_req: AuthnReq XML string:[<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_a456f1c7-9fe8-4566-8952-f04f5d2b7285" Version="2.0" IssueInstant="2018-02-08T11:45:15Z"
Destination="https://adfs.kemptest.com/adfs/ls/" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"> <saml:Issuer>https://kempesp</saml:Issuer> </samlp:AuthnRequest>]
Feb 8 11:45:15 KEMP_1 ssomgr: #2393# >>>encode_saml_req: Start SAML AuthnReq Request encoding...
Feb 8 11:45:15 KEMP_1 ssomgr: #2393# encode_saml_req: Encoded blob:fZBPa8MwDMW%2FivHd%2BUfcpiIJdPSwwsbCGnboZbiJs4bFdhYpsI8%2FN92gu%2FSo9%2FST9JSjMsMI25nO9lV%2FzRqJfZvBIixGwefJglPYI1hlNAI1cNg%2BP0ESRDBOjlzjBn6D3CcUop6od5az%2Fa7g7yqVqy5u1mLT6Uz4YiWyjUxEF6WdbJPTOskkZ296Qs8U3I%2FwIOKs9xZJWfJSFGciSkSU1XEMqYRYHjnb%2BRy9VbRQZ6IRIQxV22Hwqc1I3g0aZxYlHDDkrPqN8tDbtrcf91Ocrk0Ij3VdierlUPOSsfwSH5brpvJv52WdxjEPb012Lf%2B%2FvfwB
Feb 8 11:45:15 KEMP_1 ssomgr: #2393# <<<encode_saml_req: Finished AuthnReq Request encoding
Feb 8 11:45:15 KEMP_1 ssomgr: #2393# build_saml_auth_req: AuthnReq Location redirection with encoded blob length[395], data[https://adfs.kemptest.com/adfs/ls/?SAMLRequest=fZBPa8MwDMW%2FivHd%2BUfcpiIJdPSwwsbCGnboZbiJs4bFdhYpsI8%2FN92gu%2FSo9%2FST9JSjMsMI25nO9lV%2FzRqJfZvBIixGwefJglPYI1hlNAI1cNg%2BP0ESRDBOjlzjBn6D3CcUop6od5az%2Fa7g7yqVqy5u1mLT6Uz4YiWyjUxEF6WdbJPTOskkZ296Qs8U3I%2FwIOKs9xZJWfJSFGciSkSU1XEMqYRYHjnb%2BRy9VbRQZ6IRIQxV22Hwqc1I3g0aZxYlHDDkrPqN8tDbtrcf91Ocrk0Ij3VdierlUPOSsfwSH5brpvJv52WdxjEPb012Lf%2B%2FvfwB]
Feb 8 11:45:15 KEMP_1 ssomgr: #2393# <<<build_saml_auth_req: Finished SAML AuthnReq build processing : rc=[0]
Feb 8 11:45:15 KEMP_1 ssomgr: #2393# >>>get_domain
Feb 8 11:45:15 KEMP_1 ssomgr: #2393# >>>get_domain_from_user
3. SAML Response Encoded
Once the client has authenticated against their IDP, they receive a SAML assertion which they will provide to the LoadMaster in a SAML response. The SAML response is encoded.
Feb 8 11:45:17 KEMP_1 ssomgr: saml_post called e->operation(6)
Feb 8 11:45:17 KEMP_1 ssomgr: saml_post url 'https://sharepoint.kemptest.com/'
Feb 8 11:45:17 KEMP_1 ssomgr: saml_post data 'SAMLResponse=PHNhbWxwOlJlc3BvbnNlIElEPSJfYjZhOTM0YzgtODg4MC00OWJhLWE1YzgtMjllZDIxMWEwM2JiIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxOC0wMi0wOFQxMTo0NjozMi41MDNaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaGFyZXBvaW50LmtlbXB0ZXN0LmNvbSIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0iX2E0NTZmMWM3LTlmZTgtNDU2Ni04OTUyLWYwNGY1ZDJiNzI4NSIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI%2BPElzc3VlciB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BaHR0cDovL2FkZnMua2VtcHRlc3QuY29tL2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiIC8%2BPC9zYW1scDpTdGF0dXM%2BPEFzc2VydGlvbiBJRD0iX2JlNzM2MzVhLTJjYjUtNGEzMS05YWRiLTllMzI5OTQxN2U4NyIgSXNzdWVJbnN0YW50PSIyMDE4LTAyLTA4VDExOjQ2OjMyLjUwMloiIFZlcnNpb249IjIuMCIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxJc3N1ZXI%2BaHR0cDovL2FkZnMua2VtcHRlc3QuY29tL2F
Feb 8 11:45:17 KEMP_1 ssomgr: find_user_by_cookie(277eb5d039c71ff0dcae20c0938f0fbb)
Feb 8 11:45:17 KEMP_1 ssomgr: >>find_user_by_cookie(): ts: 1518090315 [age=2] type: 6 user: samAccName: host: domain: SAML.KEMPTEST.COM cookie: 277eb5d039c71ff0dcae20c0938f0fbb failed_auths: 0 lockout: 0 tout: type:900[1]
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# >>>get_domain
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# >>>get_domain_from_user
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# get_domain_from_user: no domain to extract from []
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# get_domain: client domain not provided, proceed with default domain [SAML.KEMPTEST.COM] for VS[134]
Feb 8 11:45:17 KEMP_1 ssomgr: saml_post: we have a post and valid cookie '277eb5d039c71ff0dcae20c0938f0fbb'
Feb 8 11:45:17 KEMP_1 ssomgr: saml_post: state 1
Feb 8 11:45:17 KEMP_1 ssomgr: saml_post: cert_file /one4net/3rdcerts/SAMLTokenSign.pem
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# >>>decode_saml_resp: Start SAML Response decoding - data length:5413, start of data:SAMLResponse=PHNhbWxwOlJlc3BvbnNlIElEPSJfYjZhOTM0YzgtODg4MC00OWJhLWE1YzgtMjllZDIxMWEwM2JiIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxOC0wMi0wOFQxMTo0NjozMi41MDNaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaGFyZXB
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# decode_saml_resp: Blob URI un-escaped to base64 - data length:5360, b64_zre:0x6bf670
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# decode_saml_resp: Base64Decode: len=4020
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# >>>parseXmlMemory: Start parsing the SAML Resp XML
4. SAML Response Decoded
Once the SAML response is decoded, verify the SAML metadata associated with specific attributes.
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# parseXmlMemory: SAML Resp XML: [4020][<samlp:Response ID="_b6a934c8-8880-49ba-a5c8-29ed211a03bb"
Version="2.0"
IssueInstant="2018-02-08T11:46:32.503Z" Destination="https://sharepoint.kemptest.com" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_a456f1c7-9fe8-4566-8952-f04f5d2b7285" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.kemptest.com/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_be73635a-2cb5-4a31-9adb-9e3299417e87" IssueInstant="2018-02-08T11:46:32.502Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://adfs.kemptest.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# >>>processNode: Start node processing
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# processNode:*** Processing node name[Response]
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# processNode: **** matched nodePtr->name[Response]
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# processNode: **** ID:_b6a934c8-8880-49ba-a5c8-29ed211a03bb, Version:2.0, IssueInstant:2018-02-08T11:46:32.503Z, Destination:https://sharepoint.kemptest.com, InResponseTo:_a456f1c7-9fe8-4566-8952-f04f5d2b7285
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# <<<processNode: Finished node processing
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# >>>processNode: Start node processing
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# processNode:*** Processing node name[Issuer]
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# processNode:**** matched nodePtr->name[Issuer]
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# processNode:**** Issuer:http://adfs.kemptest.com/adfs/services/trust
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# parseXmlMemory: Found Signature Node within Assertion Node
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# <<<parseXmlMemory: Finished parsing the XML: rc[0]
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# >>>print_saml_resp: Print the contents of the SAML Response data...
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# print_saml_resp: ID:_b6a934c8-8880-49ba-a5c8-29ed211a03bb Version:2.0 IssueInstant:2018-02-08T11:46:32.503Z Destination:https://sharepoint.kemptest.com InResponseTo:_a456f1c7-9fe8-4566-8952-f04f5d2b7285 SCD_InResponseTo:_a456f1c7-9fe8-4566-8952-f04f5d2b7285 SCD_NotOnOrAfter:2018-02-08T11:51:32.503Z StatusCodeValue:urn:oasis:names:tc:SAML:2.0:status:Success AS_SessionIndex:_be73635a-2cb5-4a31-9adb-9e3299417e87 AS_AuthnInstant:2018-02-08T11:46:32.408Z AS_SessionNotOnOrAfter: UID:Admin UPN:admin@kemptest.com EMAIL: Signature: <ds:Signature xml
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# <<<print_saml_resp: Finished printing the contents of the SAML Response data
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# <<<decode_saml_resp: Finished SAML Response decoding
Feb 8 11:45:17 KEMP_1 ssomgr: auth_saml_post: SAML Response decode passed...proceed with SAML Response verification
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# >>>verify_saml_resp: Start SAML Response verification...
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# >>>verify_Assertion: Start SAML Response Assertion verification...
5. Verify Signature Signing Certificate
The SAML token or assertion signing certificate configured under Virtual Services > Manage SSO must be the trusted root certificate. The certificate configured on the IDP can be either the root certificate or a certificate created using the root certificate. Depending on which certificate is configured on the IDP, you can enable or disable IdP Certificate Match.
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# <<<verify_Signature: Start Signature verification
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# >>>verify_signature_node_by_cert: Start Signature node processing, cert_file[/one4net/3rdcerts/SAMLTokenSign.pem]
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# <<<verify_signature_node_by_cert: Success - Signature is OK
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# <<<verify_signature_node_by_cert: Completed Signature Node verification rc[0]
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# <<<verify_Signature: End Signature verification: rc[0]
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# >>>verify_Assertion_SCD_NOOA: Start SAML Response Assertion SCD NOOA verification...
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# verify_Assertion_SCD_NOOA: Assertion SCD NotOnOrAfter = [2018-02-08T11:51:32.503Z][1518090692]
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# <<<verify_Assertion_SCD_NOOA: Assertion SCD NotOnOrAfter is OK
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# <<<verify_Assertion: Finished SAML Response Assertion verification...
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# >>>verify_IDs: input parameters [_a456f1c7-9fe8-4566-8952-f04f5d2b7285][_a456f1c7-9fe8-4566-8952-f04f5d2b7285][_a456f1c7-9fe8-4566-8952-f04f5d2b7285]
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# <<<verify_IDs: Success - all IDs match up
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# >>>verify_Issuer: Correlate IDP Entity IDs, Response[http://adfs.kemptest.com/adfs/services/trust], Domain[http://adfs.kemptest.com/adfs/services/trust]
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# <<<verify_Issuer: Success - SAML Response from expected Entity ID[http://adfs.kemptest.com/adfs/services/trust]
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# >>>verify_Status: input parameter [urn:oasis:names:tc:SAML:2.0:status:Success]
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# <<<verify_Status: Success - StatusCode Value is Success
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# <<<verify_saml_resp: Finished SAML Response verification - All OK
Feb 8 11:45:17 KEMP_1 ssomgr: auth_saml_post: SAML Response verified! - redirect to https://sharepoint.kemptest.com/
6. Extracted User
In the example below, you can see the user that will be used to request a Kerberos ticket for the backend SharePoint server.
Feb 8 11:45:17 KEMP_1 ssomgr: >>add_user(): ts: 1518090315 [age=2] type: 6 user: admin@kemptest.com samAccName: host: 10.0.30.40 domain: SAML.KEMPTEST.COM cookie: 277eb5d039c71ff0dcae20c0938f0fbb failed_auths: 0 lockout: 0 tout: type:900[1]
Feb 8 11:45:17 KEMP_1 ssomgr: -> htab_add(key=admin@kemptest.com@10.0.30.40)
Feb 8 11:45:17 KEMP_1 ssomgr: -> htab_add(cookie=277eb5d039c71ff0dcae20c0938f0fbb)
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# <<<map_user: User credential to be used[admin@kemptest.com]
Feb 8 11:45:17 KEMP_1 ssomgr: #2393# update_saml_record: Keeping SessionIndex [_be73635a-2cb5-4a31-9adb-9e3299417e87] in user record
om samAccName: host: 10.0.30.40 domain: SAML.KEMPTEST.COM cookie: 277eb5d039c71ff0dcae20c0938f0fbb failed_auths: 0 lockout: 0 tout: type:900[1]
7. Kerberos
Once you have successfully authenticated using SAML, the LoadMaster attempts to retrieve a Kerberos ticket for the backend server.
Reverse DNS Lookup
Depending on what destination server you choose, the LoadMaster must perform a reverse Domain Name System (DNS) lookup on this server. Depending on the hostname returned from the DNS, this name is used to form the Service Principal Name (SPN).
In the example below, the IP address is 10.110.30.5 and the hostname is sharepoint1.kemptest.com. Therefore, the SPN becomes: http/sharepoint1.kemptest.com@KEMPTEST.COM.
Feb 14 09:36:21 lb100 ssomgr: #32301# baseUserName: basename=|admin|
Feb 14 09:36:21 lb100 ssomgr: #32301# >>> kcd_get_user_ticket
Feb 14 09:36:21 lb100 ssomgr: #32301# >>>resolve_destination_address: Attempt to resolve destination [10.110.30.5][2]
Feb 14 09:36:21 lb100 ssomgr: #32301# <<<resolve_destination_address: Resolved destination host name [exchange2013.kemptest.com]
Feb 14 09:36:21 lb100 ssomgr: #32301# kcd_get_user_ticket: user=[admin@kemptest.com] [basename=[admin]
Feb 14 09:36:21 lb100 ssomgr: #32301# kcd_get_user_ticket: Destination name=[http/sharepoint1.kemptest@KEMPTEST.com]
Feb 14 09:36:21 lb100 ssomgr: #32301# kcd_get_user_ticket: kcd_ticket:0x7fde4f1f2ef0 [65536/65536]
Feb 14 09:36:21 lb100 ssomgr: #32301# >>> get_impersonator_cred_handle
Feb 14 09:36:21 lb100 ssomgr: #32301# >>> get_impersonator_cred_handle - handle=0x7fde300008c0
8. Contact Kerberos Server
In the example below, the LoadMaster attempts to retrieve a ticket on behalf of the user Admin, using the Delegated name (kempkcd) configured in the server-side configuration.
Feb 14 09:36:21 lb100 ssomgr: #32301# kcd_get_user_ticket: Get a ticket on behalf of user admin
Feb 14 09:36:21 lb100 ssomgr: #32290# kcd_get_user_ticket: Credentials aquired
Feb 14 09:36:21 lb100 ssomgr: #32290# init_accept_sec_context(): Target name: [kempkcd@kemptest.com]
Feb 14 09:36:21 lb100 ssomgr: #32290# Target mech: [{ 1 3 6 1 5 5 2 }]
Feb 14 09:36:21 lb100 ssomgr: #32290# init_accept_sec_context(): Source name: [admin@KEMPTEST.COM]
Feb 14 09:36:21 lb100 ssomgr: #32290# init_accept_sec_context(): Source mech: [{ 1 2 840 113554 1 2 2 }]
Feb 14 09:36:21 lb100 ssomgr: #32290# Attribute urn:mspac: Authenticated Complete
Feb 14 09:36:21 lb100 ssomgr: #32290# Attribute urn:mspac:logon-info Authenticated Complete
Feb 14 09:36:21 lb100 ssomgr: #32290# Attribute urn:mspac:client-info Authenticated Complete
Feb 14 09:36:21 lb100 ssomgr: #32290# Attribute urn:mspac:upn-dns-info Authenticated Complete
Feb 14 09:36:21 lb100 ssomgr: #32290# Attribute urn:mspac:server-checksum Authenticated Complete
Feb 14 09:36:21 lb100 ssomgr: #32290# Attribute urn:mspac:privsvr-checksum Authenticated Complete
Feb 14 09:36:21 lb100 ssomgr: #32290# Proxy name: [kempkcd@KEMPTEST.COM]
Feb 14 09:36:21 lb100 ssomgr: #32290# Target name: [http/sharepoint.kemptest.com@KEMPTEST.COM]
Feb 14 09:36:21 lb100 ssomgr: #32290# Delegated name: [admin@kemptest.COM]
Feb 14 09:36:21 lb100 ssomgr: #32290# Delegated mech: [{ 1 2 840 113554 1 2 2 }]
Feb 14 09:36:21 lb100 ssomgr: #32290# encode_ticket: sz=2060 ticket=0x7fde4f255ef0 len=65536 buf_sz=65536
9. Successfully Retrieved Kerberos Ticket
If successful, you should see the Negotiate authorization header with a long random string of characters.
Feb 14 09:36:21 lb100 ssomgr: #32290# <<< kcd_get_user_ticket - ret=0
Feb 14 09:36:21 lb100 ssomgr: #32290# kcd_reauth_thread: status and cookie are both OK
Feb 14 09:36:21 lb100 ssomgr: #32290# kcd_reauth_thread: up->kcd_data[Negotiate YIIF+wYJKoZIhvcSAQICAQBuggXqMIIF5qADAgEFoQMCAQ6iBwMFAAAAAACjggT+YYIE+jCCBPagAwIBBaEMGwpTVFJFRVQuQ09NoiowKKADAgEBoSEwHxsEaHR0cBsXZXhjaGFuZ2UyMDEzLnN0cmVldC5jb22jggSzMIIEr6ADAgESoQMCAQSiggShBIIEnag04R/bTzdmz+ZEjyNgYx9hm9gESS2aY3OwbxvT85NrqguM31y9HHBLRDehk/mfX13S0rEwtwyHT9EWwD5g7zNVpoeczaHN+waU74GjS7Th+WYrLHCNbaQK5v269n/L+s1E1M53QCARCSsoTYvfZDZDbLQNFNFDVBWR2JDE0s0iljupa+KBWampg//BPV0xLiUzQdKGYtScpec4buOS2eJmiaI7fcoj+OlnMnL47m2L/5IxjNC8QM5U1GdcLuSUSPdsnIdrinKjHsfXc8msyiXyWIbe2SnVxs18tPVVul0KGnzxAdB8X17RbKb7ViDVs3IZckF7azNqhwg3C0tBJlAys5ySQ3rXSLHBeF46Wyn8bLiGkLyVMQ6bRmb8fLPnEshakPrtuR+YuaZZ/uMEaeP7hIBQ2JkppX4xquAszoTwXOREgTjqL6BOdHGM9UKvevRQxa9x9Rod7kW532kUTc+ayB5S8DhW2FT79zvRhKmKXk8n2dsGLl2csiBC+bl9uMdCykFrWz+nl2DzHS8L+6tM0JjqxetmqNdQvuCMSLaBS1Upg2ZhR/2vNh641h7NzZSBNPXcfzionp1nRkk2jPYSmq45d+/c6/Jabied5PwvUYXur91ijjJ8+cnTmWZtQjN6I4EDW3Td/g9UnG/PzEzWivQN03lAjQwRa20K+HM4w4kOADw7DcEDErSF2RZsKjHh2cTvf4/sZlC1TY38l5BNHBLWu7bwnvChkjJAkxaC/A4
Feb 14 09:36:21 lb100 ssomgr: #32290# >>> release_sso_conf(0x6b52b0), calling function(kcd_reauth_thread)
If you receive the error message shown in the example below, ensure that the delegated account is configured correctly. Also ensure that you add the server name under the Delegated tab and not, for example, the name of your SharePoint site.
Feb 14 09:36 lb100 ssomgr: #57508# kinit_domain: Getting credentials for kempkcd@kemptest.com Feb 14 09:36 lb100 ssomgr: kinit_domain: Could not initialize credentials: error -1765328360
If you receive the error message shown in the example below, ensure that the delegated account is configured correctly. Also ensure that you add the server name under the Delegated tab and not, for example, the name of your SharePoint site.
Feb 14 09:36 lb100 ssomgr: #24663# gss_init_sec_context: Unspecified GSS failure. Minor code may provide more information
Feb 14 09:36 lb100 ssomgr: #24663# gss_init_sec_context: KDC can't fulfill requested option
10. Wireshark
If you think that your configuration is correct, perform a TCP trace and filter on your Kerberos Server IP address.
To perform a TCP trace, navigate to:
Logging Options --> System Log files --> Debug Options --> TCP Dump. Select Interface = All and IP Address = <Domain Controller IP>.
When you open the Wireshark PCAP file, filter using the word Kerberos.
Pay attention to info
AS-REQ: This where the client is authenticated and a ticket-granting ticket (TGT) is retrieved. In this case, your client will be the Kemp Delegated User.
TGS-REQ: Here you will present your TGT to Kerberos where it will be verified against its database.
KCD Error Codes and possible causes
For more information on Kerberos Constrained Delegation (KCD) error codes and possible causes, visit: Kerberos Errors in Network Captures
If you receive no errors in Wireshark, then a reboot of the LoadMaster may be required.
Related KBs
ESP Client Certificate SSO Debug Trace