Forum Discussion
NimbostratusAPM KCD SSO - Requesting ticket can't get forwardable tickets (-1765328163) but works eventually
NimbostratusJust my 2c, might not be relevant to your situation.
I experienced something similar when I was trying to set up an office online server and attach it to our SharePoint VIP with smart card auth. Turns out I didn't need to mess with SPNs/configure Kerberos or anything. SharePoint ACLs were handling the access to the files and the IIS site used anonymous authentication.
NimbostratusKevin, The APM is performing auth gateway functions for users with two things: 1 - a PKI cert, 2 - a user account in the tenant domain.
The users must have a app domain account to access the service. What APM will do is simply take the cert ID (UPN) and then proxy these users to the service via KCD. I do not care where the user is in the world as long as they have a valid cert with a UPN for a valid account within the app domain.
There is no cross domain here at all except for the LTM/APM being configured to support SSO on two domains depending on the APM policy configs. For this application, you can consider it single-domain - but the F5 itself is supporting two domains but not at the same time for the same application. From the Kerberos realm perspective, these users are all local and the communication is from the serverside float and F5 SPN to the IIS front-end.
