Forum Discussion
APM SSO -Kerberos Decrypt integrity check failed
Hi, I have been facing an issue with APM SSO "Kerberos Decrypt integrity check failed"
Here are Log details:
S4U ======> - fetched S4U2Self ticket for user: xpto@DOMAIN.COM
Kerberos: can't decrypt S4U2Self ticket for user xpto@DOMAIN.COM - Decrypt integrity check failed (-1765328353)
For this reason the SSO is failing.Any help would be very much appreciated.
- Daniel_VarelaEmployeeHi Gulfman, Kerberos is a sensitive topic, you need to check that everything is configured properly and I don't mean only APM. I'd recommend you to have a look at the APM operations guide. It has a lot of information to troubleshoot Kerberos: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/f5-apm-operations-guide.html Regards
- Miguel_Almeida_NimbostratusHi, Daniel. I'm working with Gulfam on this. We've setup APM and SSO already using other methods and everything is working fine. Also, we've setup Kerberos on the back-end servers and, again, all seems to be fine - a Domain user can logon via Kerberos SSO to that back-end web server. Now, in regards to this problem, this is what I can add: We followed the "APM Cookbook: Single Sign On (SSO) using Kerberos". The TGT seems to be fetched by the F5, as well as the ticket for the xpto@DOMAIN.COM account. However - and this is what we think is the problem - the F5 cannot decrypt the ticket for some reason. Any hints on this? TIA! -- Miguel
- Saravanan_M_KEmployee
One possibility for the error you are getting is--you may be using AES256 encryption type for kerberos delegation account. If so, try to disable that option and see whether it works.
As far as I know, we have a known bug id564482 for it (Kerberos SSO to support AES256 encryption type for delegation account). It has been fixed in the upcoming version 12.1
By the way what version of BIGIP are you using?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com