Forum Discussion

Steve_Lyons's avatar
Ret. Employee
Jul 31, 2018

Cross Domain / Cross Forest Kerberos SSO

Does anyone have a how to or gotcha's when deploying cross domain or cross forest Kerberos SSO? I am currently working on a how to but curious if anyone has anything already and would like to share their own lessons learned. Thanks!


Below are the known requirements as stated by Kevin Stewart.


Cross-domain/cross-forest Kerberos SSO requires that:


  • Both domains/forests must have a full two-way transitive trust for Constrained Delegation to work.
  • The APM Kerberos SSO AD service account MUST be in the same domain as the web server. Users can be anywhere.
  • The F5 must be able to resolve and communicate with both domains/forest KDCs. For multi-domain, it's usually easiest to point DNS at the global catalog server.

2 Replies

  • More requirements.


    • The delegation account must be in service principal name (SPN) format “host/name”.
    • In the active directory, the delegation account must use this SPN value for both its servicePrincipalName and userPrincipalName attributes.
    • This same SPN value must also be used in the Account Name field in the Kerberos SSO config.
    • Kerberos only mode enables the “Kerberos Protocol Transition” protocol option, which is required for APM Kerberos SSO to work.
  • If you receive the following error, "KRB ERROR : KRB5KRB_ERR_RESPONSE_TOO_BIG" it is likely Kerberos communication is occurring over UDP. Validate there is a TCP SRV record for Kerberos and attempt authentication again.