Forum Discussion
F5 APM AES256 in keytab for Kerb Auth failed
Hi,,
I am a newbie on F5 apm, currently, we have to authenticate users to access applications, I use the kerberos protocol via a keytab uploder file on the F5 apm, however, want to change encryption algorithm (RC4 to AES 256), the user sees displayed an authentication pop-up, nevertheless the authentication should be transparent for the user and does not have to enter these login/PASWD (use of the keytab file), I made a clean browser cache / restart the computer but still the same problem, following that I did a rollback with the encryption parameters (RC4), of the keytab file.
BYW : i see fallback from item 'kerberos Auth' to ending Deny , on splunk log.
Do you have any ideas ?
Thanks in advance
Hi Poseidon1974 ,
Please refer the following articles
https://my.f5.com/manage/s/article/K01716018#CreateKeytabKtpass
Impact of procedure: Using the ktpass command with certain parameters on a domain controller may modify the AD service account. F5 recommends that you perform this procedure during a scheduled maintenance window for the specific service.
Important: The following command uses AES256-SHA1 encryption. You must therefore select the This account supports Kerberos AES 256 bit encryption check box for the user you created in step 2.
Use these commands
ktpass
ktutil
rkt
wktK24065228: Troubleshooting issues with BIG-IP APM Kerberos end-user logon authentication
https://my.f5.com/manage/s/article/K24065228https://my.f5.com/manage/s/article/K24065228#VerifyEncryption
K73872229: Configure BIG-IP APM KDC validation in AD authentication
https://my.f5.com/manage/s/article/K73872229
K01716018: Configuring Kerberos end-user logon authentication for multiple applications by merging keytab files
https://my.f5.com/manage/s/article/K01716018
https://my.f5.com/manage/s/article/K24065228
K17371: BIG-IP APM may fail to authenticate when Kerberos AAA servers have different keytab files
https://my.f5.com/manage/s/article/K17371https://my.f5.com/manage/s/article/K000130298
https://my.f5.com/manage/s/article/K18315582
HTH
- Poseidon1974Cirrostratus
Hi,
Thanks for your reply , will check this link,
Poseidon;
- Poseidon1974Cirrostratus
HI,
i have this error :
LOCAL kvno 23 enctype aes256-cts found in keytab but cannot decrypt ticket
Can you help ?
Thanks
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com