lb-trace.pngHello Experts,

We are trying to make F5 load Balancer work on top of two Tomcats (both are clustered and SSO working as expected). When tried the LB URL following error pops up. For last few days searching for solution on the forum but couldn't find matching scenario.

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 23, KVNO 6, Principal "HTTP/bi41.domain.com@ABC.DOMAIN.COM" using key: Principal: [1] SSOACOUNT@ABC.DOMAIN.COM TimeStamp: Wed May 03 10:47:11 EDT 2017 KVNO: -1 EncType: 23 Key: 16 bytes, fingerprint = [e7 55 40 ed 86 e5 b a 39 36 36 71 f0 bf 77 26] Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?] )

When packet captured done following information was revealed

1.Accessing the site via chrome without proxy

• We can see the TCP handshake is completed between the host and F5, we see an initial “401 unauthorized” request coming from the tomcat server towards F5 which was transferred to the source unaltered. Though later we see a “302 Found” request from the tomcat server towards the F5 and later the communication is fluent and access works.

2.Accessing the site via chrome with Proxy

• We can see the TCP handshake is completed between the host and F5, we see an initial “401 unauthorized” request coming from the tomcat server towards F5 which was transferred to the source unaltered. Though later we see “500 Internal server error” coming in from the tomcat server itself which seems to be causing this issue.

Attached is the Trace where "500 internal Server Error" shows.

Env: BI 4.1 SP8 on windows server 2012 R2

Thanks,

Mohammad