Forum Discussion
Poseidon1974
Cirrostratus
CirrostratusF5 APM-Kerberos -decrypt ticket
Hi , I am newbie on F5 APM, I use Kerberos authentication via keytab, and I have this error message in the SIEM logs, when user try to connect, also, the user sees a pop-up displayed to authentica...
Matt_Dierick
Employee
EmployeeNot sure if I can help
https://support.f5.com/csp/article/K24065228 Verifying the Kerberos encryption configuration The encrypted type in the keytab file must support the encryption used to encrypt the Kerberos service ticket on the client system. To view the supported encryption types in the keytab file using the BIG-IP Configuration utility, refer to Verifying the service account name configuration on the KDC and BIG-IP APM procedure in this article. To display the encryption used to encrypt the Kerberos service ticket, use the klist command described in the Verifying the Kerberos tickets on the client device with the klist command procedure in this article. For more information on configuring Kerberos encryption on Windows, refer to Windows Configurations for Kerberos Supported Encryption Type. Note: This link take you to resources outside of AskF5, and it is possible that the information may be removed without our knowledge. F5 recommends using the AES 256 bit encryption type. To configure this, you need to enable the This account supports the Kerberos AES 256 bit encryption option on the Account tab in the AD Properties and also when generating the keytab file with the ktpass command.
Poseidon1974Cirrostratus
CirrostratusHi,
Thank you for this feedback (I already knew this link), however, all the steps explanied on your link complete correctly, nevertheless, the generated keytab file only works for a single SPN, and not for the other (the user has a authentication pop-up), following that, I did a rollback to RC4,