Forum Discussion
Cross Domain / Cross Forest Kerberos SSO
Does anyone have a how to or gotcha's when deploying cross domain or cross forest Kerberos SSO? I am currently working on a how to but curious if anyone has anything already and would like to share their own lessons learned. Thanks!
Below are the known requirements as stated by Kevin Stewart.
Cross-domain/cross-forest Kerberos SSO requires that:
- Both domains/forests must have a full two-way transitive trust for Constrained Delegation to work.
- The APM Kerberos SSO AD service account MUST be in the same domain as the web server. Users can be anywhere.
- The F5 must be able to resolve and communicate with both domains/forest KDCs. For multi-domain, it's usually easiest to point DNS at the global catalog server.
- Steve_LyonsRet. Employee
More requirements.
- The delegation account must be in service principal name (SPN) format “host/name”.
- In the active directory, the delegation account must use this SPN value for both its servicePrincipalName and userPrincipalName attributes.
- This same SPN value must also be used in the Account Name field in the Kerberos SSO config.
- Kerberos only mode enables the “Kerberos Protocol Transition” protocol option, which is required for APM Kerberos SSO to work.
- Steve_LyonsRet. Employee
If you receive the following error, "KRB ERROR : KRB5KRB_ERR_RESPONSE_TOO_BIG" it is likely Kerberos communication is occurring over UDP. Validate there is a TCP SRV record for Kerberos and attempt authentication again.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com