Forum Discussion
f5 and Kerberos SSO sap BI
You need to put the URl in IE's Local Intranet sites list. Otherwise I'm assuming you have
-
Created an AD account, added the SPN (http/bi.temp.com) and exported a keytab.
-
Imported that keytab to an APM Kerberos AAA.
-
Configured the access policy with a 401 agent with negotiate enabled and a negotiate branch that flows into a Kerberos Auth agent.
The best way to troubleshoot client side Kerberos issues is to:
-
Enable debug logging for APM. Look for anything that says "kerberos" or "gssapi".
-
Capture the client's requests to the KDC with WireShark, and HTTP requests to APM. You should the entire process here, what (and if) the client requests a ticket for, and what it sends to the VIP.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com