For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ktm_2000's avatar
ktm_2000
Icon for Altostratus rankAltostratus
Nov 08, 2024

Can you set Kerberos AAA server via session variable?

Folks,    I am looking to setup Kerberos so folks do not need to keep entering their credentials and have been doing some testing.     I have a couple test policies setup and assigned to their own ...
application delivery
Injeyan_Kostas's avatar
Injeyan_Kostas
Icon for Nacreous rankNacreous
Jun 26, 2025

Hi ktm_2000​ 

The simplest way would be to use a single keytab file lets say for sso.example.com and set a multi domain sso policy with sso.example.com as primary domain. Then you add the rest domains.
So when a user tries to access app1.example.com apm will redirect him to sso.example.com where he could authenticate with kerberos and then will be returned to app1

An other way is to have a unique login policy just for sso.example.com with kerberos and have other policies SAML federated to sso 

And the last option is to have multiple keytabs and then inside the policy check the hostname requested and have multiple branches, one for each hostname, and assign different kerberos auth for each.