Forum Discussion
f5 and Kerberos SSO sap BI
If you're not using APM, what are you referring to when you say "SSO"?
Since you're not using APM to handle the Kerberos traffic, then you're simply passing the Kerberos traffic through the VIP. The issue I think you're seeing is that the client is attempting (and most likely failing) to request a ticket for the external URL (bi.temp.com). A browser will derive the servicePrincipalName (SPN) for a Kerberos request from the FQDN in the requested URL. If the backend server's SPN is http/biserver, then the client is simply passing a ticket for the wrong SPN (or no ticket at all if http/bi.temp.com doesn't exist in the realm). In order for pass-through Kerberos to work, the external FQDN must match the internal (target) SPN. The easiest way to achieve that may be to add a new SPN to the account for http/bi.temp.com.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com