F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

eric_haupt1's avatar
eric_haupt1
Icon for Nimbostratus rankNimbostratus
Oct 04, 2018

APM KCD SSO - Requesting ticket can't get forwardable tickets (-1765328163) but works eventually

I'm running into this well known KCD SSO error. I have APM performing the necessary SSO variable definitions using LDAP queries which map certificate IDs (Domain userPrincipalName) to sAMAccountNames...
application delivery
BIG-IP Access Policy Manager (APM)
action_-_322447's avatar
action_-_322447
Icon for Nimbostratus rankNimbostratus
Oct 11, 2018

Just my 2c, might not be relevant to your situation.

 

I experienced something similar when I was trying to set up an office online server and attach it to our SharePoint VIP with smart card auth. Turns out I didn't need to mess with SPNs/configure Kerberos or anything. SharePoint ACLs were handling the access to the files and the IIS site used anonymous authentication.

 

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 31, 2018

Hmm.

 

Can you also look at the clear text traffic to the server? I’m assuming, but it’d be good to validate that on every attempt APM actually does pass a Kerberos AP_REQ ticket to the app, and that for some reason the app doesn’t accept it. If you can get a wireshark view of the APM-server traffic you should be able to see the full Kerberos details. And if that’s true, it might imply that the server is at fault, the KDC is issuing a ticket to the wrong service, or there’s something wrong with the ticket.