F5 APM AES256 in keytab for Kerb Auth failed

Question

Hi,,I am a newbie on F5 apm, currently, we have to authenticate users to access applications, I use the kerberos protocol via a keytab uploder file on the F5 apm, however, want to change encryption algorithm (RC4 to AES 256), the user sees displayed an authentication pop-up, nevertheless the authentication should be transparent for the user and does not have to enter these login/PASWD (use of the keytab file), I made a clean browser cache / restart the computer but still the same problem, following that I did a rollback with the encryption parameters (RC4), of the keytab file.BYW : i see fallback from item 'kerberos Auth' to ending Deny , on splunk log.Do you have any ideas ?Thanks in advance&nbsp;

f5_design_engineer · Answer

Hi&nbsp;Poseidon1974&nbsp;,
Please refer the following articles
https://my.f5.com/manage/s/article/K01716018#CreateKeytabKtpass
&nbsp;
Impact of procedure: Using the ktpass command with certain parameters on a domain controller may modify the AD service account. F5 recommends that you perform this procedure during a scheduled maintenance window for the specific service.
Important: The following command uses AES256-SHA1 encryption. You must therefore select the This account supports Kerberos AES 256 bit encryption check box for the user you created in step 2.
Use these commands
ktpassktutilrktwkt
K24065228: Troubleshooting issues with BIG-IP APM Kerberos end-user logon authenticationhttps://my.f5.com/manage/s/article/K24065228
https://my.f5.com/manage/s/article/K24065228#VerifyEncryption
K73872229: Configure BIG-IP APM KDC validation in AD authentication
https://my.f5.com/manage/s/article/K73872229
K01716018: Configuring Kerberos end-user logon authentication for multiple applications by merging keytab files
https://my.f5.com/manage/s/article/K01716018
https://my.f5.com/manage/s/article/K24065228
K17371: BIG-IP APM may fail to authenticate when Kerberos AAA servers have different keytab fileshttps://my.f5.com/manage/s/article/K17371
&nbsp;
https://my.f5.com/manage/s/article/K000130298
https://my.f5.com/manage/s/article/K18315582
HTH

poseidon1974 · Answer

Hi,Thanks for your reply , will check this link,Poseidon;&nbsp;&nbsp;

poseidon1974 · Answer

HI,&nbsp;i have this error&nbsp; :LOCAL kvno 23 enctype aes256-cts found in keytab but cannot decrypt ticketCan you help ? Thanks

poseidon1974 · Answer

Any help ?

poseidon1974 · Answer

Hi,Any update ?&nbsp;Thanks&nbsp;

Forum Discussion

F5 APM AES256 in keytab for Kerb Auth failed

5 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs

F5 mssql health monitor failing

F5 BIG IP laboratory license

How can I get started with iCall

Connection Rest f5

Related Content

External Data Group Import Failing.

Failing Faster in the Cloud

BIG-IP device fails to install node-inspector

Re activate license failed

Kerberos Authentication Failing for Exchange 2016 Behind F5 Cloud WAF

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS