Invalid Session ID. Your session may have expired - during kerberos auth

It seems to help if I change "Max Logon Attempts Allowed" from 1 to 3 in the Kerberos Auth. What does this setting this actually do? and should this help?

Actually the step above didn't help with the situation. We still see the issue. We also have an NTLM irule looks to be causing the issue. When doing an ECA::Disable for non NTLM requests it seems to intermittently break kerberos!

Also if I set "modify /sys db apm.rotatesessionid value disable" it seems to fix the issue but I don't want to do this as it weakens security.

Anyone have anything to try?

CX,

did you ever figure this out as I am having the same issue? I have not yet messed with the apm.rotatesessionid value like you mentioned as was seeing if you came up with a better way?

Thanks

Hi Nolan,

So it came down to 3 things, Kerberos, NTLM and Session Rotation. If I stopped using any one one of these 3 then my problem went away. in the end I needed both Kerberos and NTLM setups and so F5 Support agreed that the only option was to turn off the session rotation. Since that day I never saw the issue again.

Note this was in APM 11.6.2 I have not tested since upgrading to later versions but would be interesting to see if it was resolved.

Thanks