F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

balaaj_217997's avatar
balaaj_217997
Icon for Nimbostratus rankNimbostratus
Aug 20, 2015

f5 and Kerberos SSO sap BI

Hi We are using F5 load balancer and we enable kerberos sso . Its works like a charm with direct link . However its not working with f5 Dns name bi.temp.com Full url is https://bi.temp.com Service us...
BIG-IP Access Policy Manager (APM)
sap
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 22, 2015

You need to put the URl in IE's Local Intranet sites list. Otherwise I'm assuming you have

 

  1. Created an AD account, added the SPN (http/bi.temp.com) and exported a keytab.

     

  2. Imported that keytab to an APM Kerberos AAA.

     

  3. Configured the access policy with a 401 agent with negotiate enabled and a negotiate branch that flows into a Kerberos Auth agent.

     

The best way to troubleshoot client side Kerberos issues is to:

 

  1. Enable debug logging for APM. Look for anything that says "kerberos" or "gssapi".

     

  2. Capture the client's requests to the KDC with WireShark, and HTTP requests to APM. You should the entire process here, what (and if) the client requests a ticket for, and what it sends to the VIP.