ASA no longer attempting to get Kerberos tickets

Chris R · ‎10-16-2018

I have an ASA 5512-X that I have configured to use Constrained Delegation with my Windows 2012 domain and it worked for about a day. Now when I attempt to use the clientless VPN to access an internal website that requires a Kerberos ticket it causes the browser to request credentials from the user (which has no effect). I ran debug kerberos 127 on my ASA and see absolutely no activity regarding Kerberos anymore. When I run show webvpn kcd I now get

KCD state: Inactive
Kerberos Realm: *****

ADI version:
ADI instance: root 1745 1743 0 14:02 ? 00:00:02 /asa/bin/start-adi
Keytab file: Not found

Leaving the domain and re-enabling Kerberos has no effect (and fails to show any activity on the console with kerberos debugging enabled).

sh version

Cisco Adaptive Security Appliance Software Version 9.8(3)8
Firepower Extensible Operating System Version 2.2(2.97)
Device Manager Version 7.9(2)152
REST API Agent Version 1.3.2.308

Compiled on Tue 07-Aug-18 23:01 PDT by builders
System image file is "disk0:/asa983-8-smp-k8.bin"
Config file at boot was "startup-config"

asa5512 up 6 days 14 hours

Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
 ASA: 1656 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 4096MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
 Boot microcode : CNPx-MC-BOOT-2.00
 SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
 IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
 Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0 : address is 0042.6847.2a3b, irq 11
 1: Ext: GigabitEthernet0/0 : address is 0042.6847.2a3f, irq 10
 2: Ext: GigabitEthernet0/1 : address is 0042.6847.2a3c, irq 10
 3: Ext: GigabitEthernet0/2 : address is 0042.6847.2a40, irq 5
 4: Ext: GigabitEthernet0/3 : address is 0042.6847.2a3d, irq 5
 5: Ext: GigabitEthernet0/4 : address is 0042.6847.2a41, irq 10
 6: Ext: GigabitEthernet0/5 : address is 0042.6847.2a3e, irq 10
 7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
 8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
 9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
10: Ext: Management0/0 : address is 0042.6847.2a3b, irq 0
11: Int: Internal-Data0/3 : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 250 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual

This platform has an ASA 5512 Security Plus license.

Serial Number: FCH20097ALQ
Running Permanent Activation Key: 0x6b00e66a 0x8cb022b2 0x25734934 0xf1dcd80c 0x0b0cfda4
Configuration register is 0x1

Image type : Release
Key version : A

Configuration last modified by creahard at 13:22:50.315 UTC Thu Oct 11 2018

sh run webvpn
webvpn
 enable outside
 enable inside
 kcd-server DIFKCD username CiscoKerberos password *****
 anyconnect image disk0:/anyconnect-win-4.6.03049-webdeploy-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
 smart-tunnel auto-signon AutoInternal ip 10.*.*.0 255.255.252.0
 smart-tunnel auto-signon AutoInternal host kt.*******
 smart-tunnel auto-signon AutoInternal host portal.*******
 cache
 disable
 certificate-group-map CERTS 10 CERTS
 error-recovery disable
sh run aaa-server DIFKCD
aaa-server DIFKCD protocol kerberos
aaa-server DIFKCD (inside) host 10.*.*.30
 retry-interval 3
 timeout 3
 kerberos-realm *******
aaa-server DIFKCD (inside) host 10.*.*.20
 retry-interval 3
 timeout 3
 kerberos-realm *******

sh run group-policy
group-policy NOACCESS internal
group-policy NOACCESS attributes
 vpn-access-hours value Past
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ssl-client
 webvpn
 filter value NOACCESS_DENY
group-policy DfltGrpPolicy attributes
 dns-server value 10.*.*.30 10.*.*.20
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ssl-client ssl-clientless
 webvpn
 smart-tunnel auto-signon enable AutoInternal
group-policy DIF internal
group-policy DIF attributes
 dns-server value 10.*.*.20 10.*.*.30
 vpn-access-hours none
 vpn-simultaneous-logins 1
 vpn-tunnel-protocol ssl-client ssl-clientless
 default-domain value *******
 address-pools value VPN
 webvpn
 url-list value DIF
 filter none
 smart-tunnel auto-signon enable AutoInternal

sh run tunnel-group
tunnel-group CERTS type remote-access
tunnel-group CERTS general-attributes
 authentication-server-group (inside) DIF
 authorization-server-group DIF
 default-group-policy NOACCESS
 authorization-required
tunnel-group CERTS webvpn-attributes
 authentication certificate
 group-alias DIF enable
 group-url https://**********/DIF enable
 without-csd
tunnel-group LEGACY type remote-access
tunnel-group LEGACY general-attributes
 authentication-server-group LEGACY
 authentication-server-group (inside) LEGACY
 authorization-server-group LEGACY
 default-group-policy NOACCESS
 authorization-required
tunnel-group LEGACY webvpn-attributes
 group-alias LEGACY enable
 group-url https://**********/LegacyUsers enable
 without-csd