CirrostratusHi ,
I am newbie on F5 APM, I use Kerberos authentication via keytab, and I have this error message in the SIEM logs, when user try to connect, also, the user sees a pop-up displayed to authenticate, normally, it should be transparent for the user who is already in the domain
"LOCAL kvno 24 enctype aes256-cts found in keytab but cannot decrypt ticket"
Any help ?
Thanks ,
Curious if Niels_van_Sluis could answer this one? I'll poke around to see if I can find someone else just in case Niels doesn't have time.
Cirrostratusmybe he don't understand my issue ?
I've just sent your thread to some colleagues to try to get you the answer you need.
Hi,
What instructions did you use to configure kerberos authentication? This knowlege article helps on debugging kerberos issues:
Troubleshooting issues with BIG-IP APM Kerberos end-user logon authentication (f5.com)
Maybe one thing to check: Make sure in the account properties in AD in the tab 'Account' the account option 'This account supports Kerberos 256 bit encryption' is enabled.
CirrostratusHi
Thanks for this reply , we use same account ( AD) for both SPN, for one URL it's OK with AES , but NOK for seconde URL, we haven't any issue with RC4 before
regards,
CirrostratusHi ,
As explained, I use a keytab file for two spns, only 1 SPN works with AES (without pop-up), however the other SPN does not (the user sees a pop-up displayed) to put his credentials n us 'have no problem with RC4 encryption.
CirrostratusNot solved
EmployeeNot sure if I can help
https://support.f5.com/csp/article/K24065228 Verifying the Kerberos encryption configuration The encrypted type in the keytab file must support the encryption used to encrypt the Kerberos service ticket on the client system. To view the supported encryption types in the keytab file using the BIG-IP Configuration utility, refer to Verifying the service account name configuration on the KDC and BIG-IP APM procedure in this article. To display the encryption used to encrypt the Kerberos service ticket, use the klist command described in the Verifying the Kerberos tickets on the client device with the klist command procedure in this article. For more information on configuring Kerberos encryption on Windows, refer to Windows Configurations for Kerberos Supported Encryption Type. Note: This link take you to resources outside of AskF5, and it is possible that the information may be removed without our knowledge. F5 recommends using the AES 256 bit encryption type. To configure this, you need to enable the This account supports the Kerberos AES 256 bit encryption option on the Account tab in the AD Properties and also when generating the keytab file with the ktpass command.
CirrostratusHi,
Thank you for this feedback (I already knew this link), however, all the steps explanied on your link complete correctly, nevertheless, the generated keytab file only works for a single SPN, and not for the other (the user has a authentication pop-up), following that, I did a rollback to RC4,
