Forum Discussion
Lucas_Thompson
Apr 03, 2024Employee
At runtime Kerberos SSO needs to know a Realm (domain) and a UPN (username), so your clientless-mode session must be able to provide correct values into the APM session variables session.sso.token.username and session.logon.last.domain.
To troubleshoot this, I'd just enable debug logging on SSO and session, then just compare a test from each line-by-line and see where it falls over. Kerberos S4U is somewhat complicated. We have a few articles on troubleshooting it:
https://my.f5.com/manage/s/article/K59350434
https://my.f5.com/manage/s/article/K40119818