Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

eric_haupt1's avatar
eric_haupt1
Icon for Nimbostratus rankNimbostratus
Oct 04, 2018

APM KCD SSO - Requesting ticket can't get forwardable tickets (-1765328163) but works eventually

I'm running into this well known KCD SSO error. I have APM performing the necessary SSO variable definitions using LDAP queries which map certificate IDs (Domain userPrincipalName) to sAMAccountNames...
application delivery
BIG-IP Access Policy Manager (APM)
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 09, 2018

Don't use an SSO Credential Mapping agent for Kerberos SSO. You don't need it. The SSO profile has two session variable inputs, session.sso.token.last.username, and session.logon.last.domain. You simply need to make sure these session variables are populated before the end of the policy, and the domain variable is usually statically set.

session.logon.last.domain = expr { "INTERNAL.COM" }

And your username variable can either be the sAMAccountName (preferred) or UPN.

session.sso.token.last.username = expr { "bob" }

In fact you can isolate SSO for testing by simply assigning these values statically in the VPE.