Forum Discussion

Gulfam_219642's avatar
Gulfam_219642
Icon for Nimbostratus rankNimbostratus
Apr 05, 2016

APM SSO -Kerberos Decrypt integrity check failed

Hi, I have been facing an issue with APM SSO "Kerberos Decrypt integrity check failed"

 

Here are Log details:

 

S4U ======> - fetched S4U2Self ticket for user: xpto@DOMAIN.COM

 

Kerberos: can't decrypt S4U2Self ticket for user xpto@DOMAIN.COM - Decrypt integrity check failed (-1765328353)

 

For this reason the SSO is failing.Any help would be very much appreciated.

 

  • Hi Gulfman, Kerberos is a sensitive topic, you need to check that everything is configured properly and I don't mean only APM. I'd recommend you to have a look at the APM operations guide. It has a lot of information to troubleshoot Kerberos: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/f5-apm-operations-guide.html Regards
  • Hi, Daniel. I'm working with Gulfam on this. We've setup APM and SSO already using other methods and everything is working fine. Also, we've setup Kerberos on the back-end servers and, again, all seems to be fine - a Domain user can logon via Kerberos SSO to that back-end web server. Now, in regards to this problem, this is what I can add: We followed the "APM Cookbook: Single Sign On (SSO) using Kerberos". The TGT seems to be fetched by the F5, as well as the ticket for the xpto@DOMAIN.COM account. However - and this is what we think is the problem - the F5 cannot decrypt the ticket for some reason. Any hints on this? TIA! -- Miguel
  • One possibility for the error you are getting is--you may be using AES256 encryption type for kerberos delegation account. If so, try to disable that option and see whether it works.

     

    As far as I know, we have a known bug id564482 for it (Kerberos SSO to support AES256 encryption type for delegation account). It has been fixed in the upcoming version 12.1

     

    By the way what version of BIGIP are you using?