Forum Discussion

Cirrostratus

Aug 20, 2015

Kerberos - Serving a URL in different datacenters

Hello! I have an very intresting issue. Scenario 1 (that is working flawlessly): LTM VIP 1.2.3.4 -> Access Policy -> 401 RESPONSE -> Kerberos Auth -> Sucess :-) DNS mysite.mydomain.c...

application delivery

BIG-IP Access Policy Manager (APM)

LTM

security

Kevin_Stewart

Employee

Aug 21, 2015

If you have the ability to capture Kerberos traffic between the client and KDC, look at the TGS_REQ being sent by the client. Your APMs are probably set up to authenticate (have a keytab) for mysite.mydomain.com, but you find that your clients are requesting tickets for mysite.gtm.mydomain.com. In any case, you'll need to add that as an SPN to the same account and then create a multi-SPN keytab.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Kerberos - Serving a URL in different datacenters

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

F5 BIG IP laboratory license

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs

F5 mssql health monitor failing

How can I get started with iCall

Connection Rest f5

Related Content

Syncing ASM WAF Policies Between F5 BIG-IP's in Different Datacenters or Cloud Regions

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

F5 BIG-IP's in Different Datacenters

Kerberos is Easy - Part 2

Kerberos Is Easy - Part 1

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS