Forum Discussion

CX_280703's avatar
Icon for Nimbostratus rankNimbostratus
May 07, 2017

Invalid Session ID. Your session may have expired - during kerberos auth

I have an IdP setup that is doing client side kerberos auth before then sending on a SAML token to an SP. I have an intermittant issue were sometimes using the kerberos auth It seems to fail and send me to a logout page with an error




Your session could not be established.


The session reference number: 23f22713


Invalid Session ID. Your session may have expired.


In the logs I can see:


Session deleted (security_check).


Sometimes the Kerberos is ok and sometimes not, any ideas where to look for the cause of this?




5 Replies

  • It seems to help if I change "Max Logon Attempts Allowed" from 1 to 3 in the Kerberos Auth. What does this setting this actually do? and should this help?


  • Actually the step above didn't help with the situation. We still see the issue. We also have an NTLM irule looks to be causing the issue. When doing an ECA::Disable for non NTLM requests it seems to intermittently break kerberos!


    Also if I set "modify /sys db apm.rotatesessionid value disable" it seems to fix the issue but I don't want to do this as it weakens security.


    Anyone have anything to try?


  • CX,


    did you ever figure this out as I am having the same issue? I have not yet messed with the apm.rotatesessionid value like you mentioned as was seeing if you came up with a better way?




  • Hi Nolan,


    So it came down to 3 things, Kerberos, NTLM and Session Rotation. If I stopped using any one one of these 3 then my problem went away. in the end I needed both Kerberos and NTLM setups and so F5 Support agreed that the only option was to turn off the session rotation. Since that day I never saw the issue again.


    Note this was in APM 11.6.2 I have not tested since upgrading to later versions but would be interesting to see if it was resolved.