F5 APM AES256 in keytab for Kerb Auth failed

Question

Hi,,I am a newbie on F5 apm, currently, we have to authenticate users to access applications, I use the kerberos protocol via a keytab uploder file on the F5 apm, however, want to change encryption algorithm (RC4 to AES 256), the user sees displayed an authentication pop-up, nevertheless the authentication should be transparent for the user and does not have to enter these login/PASWD (use of the keytab file), I made a clean browser cache / restart the computer but still the same problem, following that I did a rollback with the encryption parameters (RC4), of the keytab file.BYW : i see fallback from item 'kerberos Auth' to ending Deny , on splunk log.Do you have any ideas ?Thanks in advance&nbsp;

f5_design_engineer · Answer

Hi&nbsp;Poseidon1974&nbsp;,
Please refer the following articles
https://my.f5.com/manage/s/article/K01716018#CreateKeytabKtpass
&nbsp;
Impact of procedure: Using the ktpass command with certain parameters on a domain controller may modify the AD service account. F5 recommends that you perform this procedure during a scheduled maintenance window for the specific service.
Important: The following command uses AES256-SHA1 encryption. You must therefore select the This account supports Kerberos AES 256 bit encryption check box for the user you created in step 2.
Use these commands
ktpassktutilrktwkt
K24065228: Troubleshooting issues with BIG-IP APM Kerberos end-user logon authenticationhttps://my.f5.com/manage/s/article/K24065228
https://my.f5.com/manage/s/article/K24065228#VerifyEncryption
K73872229: Configure BIG-IP APM KDC validation in AD authentication
https://my.f5.com/manage/s/article/K73872229
K01716018: Configuring Kerberos end-user logon authentication for multiple applications by merging keytab files
https://my.f5.com/manage/s/article/K01716018
https://my.f5.com/manage/s/article/K24065228
K17371: BIG-IP APM may fail to authenticate when Kerberos AAA servers have different keytab fileshttps://my.f5.com/manage/s/article/K17371
&nbsp;
https://my.f5.com/manage/s/article/K000130298
https://my.f5.com/manage/s/article/K18315582
HTH

poseidon1974 · Answer

Hi,Thanks for your reply , will check this link,Poseidon;&nbsp;&nbsp;

poseidon1974 · Answer

HI,&nbsp;i have this error&nbsp; :LOCAL kvno 23 enctype aes256-cts found in keytab but cannot decrypt ticketCan you help ? Thanks

poseidon1974 · Answer

Any help ?

poseidon1974 · Answer

Hi,Any update ?&nbsp;Thanks&nbsp;

Forum Discussion

F5 APM AES256 in keytab for Kerb Auth failed

Recent Discussions

MAC address of deleted VS IP address still responsive

Different common name ssl acces 403 forbiddent

dynamic signature detection

DNS HM Probe issue

F5 looses the token for the first call

Related Content

Re activate license failed

HTTP error 503, DNS lookup failed

Failing Faster in the Cloud

GTM- Zone list (Offline (Enabled) - Failed AXFR)

URI host header redirect failing

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS