Forum Discussion

balaaj_217997's avatar
balaaj_217997
Icon for Nimbostratus rankNimbostratus
Aug 20, 2015

f5 and Kerberos SSO sap BI

Hi We are using F5 load balancer and we enable kerberos sso . Its works like a charm with direct link . However its not working with f5 Dns name bi.temp.com Full url is https://bi.temp.com Service us...
BIG-IP Access Policy Manager (APM)
sap
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 25, 2015

If you're not using APM, what are you referring to when you say "SSO"?

 

Since you're not using APM to handle the Kerberos traffic, then you're simply passing the Kerberos traffic through the VIP. The issue I think you're seeing is that the client is attempting (and most likely failing) to request a ticket for the external URL (bi.temp.com). A browser will derive the servicePrincipalName (SPN) for a Kerberos request from the FQDN in the requested URL. If the backend server's SPN is http/biserver, then the client is simply passing a ticket for the wrong SPN (or no ticket at all if http/bi.temp.com doesn't exist in the realm). In order for pass-through Kerberos to work, the external FQDN must match the internal (target) SPN. The easiest way to achieve that may be to add a new SPN to the account for http/bi.temp.com.