Forum Discussion

Daniel_W__13795's avatar
Daniel_W__13795
Icon for Nimbostratus rankNimbostratus
Jan 15, 2016

Kerberos 401 authentication with form fallback

Hello,   we are using APM for SAML authentication. Domain joined machines should authenticate transparently with Kerberos, users without the ability to use Kerberos (non domain joined, Firefox wit...
BIG-IP Access Policy Manager (APM)
kerberos
security
SSO
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 07, 2018

JoeTheFifth,

What do you mean by adding all spns ?

You can "overload" the keytab file by using the -in option with ktpass:

ktpass -princ  -mapuser  -ptype KRB5_NT_PRINCIPAL -pass 'password' -in  -out c:\keytab.next

You'd run this command for each SPN, adding the resulting key information to the last keytab file.

If you want to avoid the initial 401 response you have to configue IE and Firefox for that

Even if you put the URL in the browser's trusted intranet sites list, I believe (specifically for Kerberos) that the browser still makes an initial anonymous request.