Forum Discussion
Stefan_Finke_83
Jul 20, 2012Nimbostratus
APM 11.2: Kerberos AAA ServiceName configuration
I'm configuring a Kerberos AAA Server for Kerberos end user login in an ActiveDirectory Domain. In the AAA Configuration page, I set up my Service Name formed as serviceName/hostname@kerberosrealm (as said in the Help page and the Configuration guide).
But the login login fails. APM Log (/var/log/apm) says:
GSS-API error gss_acquire_cred: 20000 : An invalid name was supplied
and
GSS-API error gss_acquire_cred: 96c73ad8 : Hostname cannot be canonicalized
It seems like the APM-GSS-Module does not accept the '@' in the Service Name at all. A Service Name like test@test gives the same error. Service Name formed as serviceName/hostname (without the realm) is accepted, resulting in an Key table entry not found error (as expected)
Any Hints?
- Kevin_StewartEmployeeIn case you're still having this problem, the guidance is admittedly confusing in this respect.
- Zeeshan_Ahmad_1NimbostratusDo we need to add SPN for the F5 boxes FQDN or for the Virtual server
- Kevin_StewartEmployeeFor the virtual server. The SPN in the AAA's keytab file MUST match the host name that the client is trying to access.
- Zeeshan_Ahmad_1Nimbostratus
Thanks Kevin
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects