Kerberos Auth with alternate UPN suffix

Question

Hello All,&nbsp;
I have been searching dev central for the last few days on how to deal with kerberos auth when the user is using a alternate UPN suffix and still can't figure out how to make it work.&nbsp;
I have a virtual server configured with an access policy that works great if the userPrincipalName matches the domain principal realm but when I change the upn to use the alternate suffix I am unable to get that to work.  
&nbsp;
Here is how my APM is configured that allows it to work when the upn matches the principal realm. &nbsp;
http 401 Response: Basic Auth realm is DOMAIN.LCL&nbsp;
AD Query: Search Filter userPrincipalName=%{session.logon.last.username}&nbsp;
SSO Credential Mapping:  Username.  mcget {session.ad.last.attr.sAMAccountName} password. mcget {session.logon.last.domain}&nbsp;
I can see that the reason it is failing is that the session.logon.last.username that is created is bsmith@DOMAIN.LCL and that upn doesn't match an attribute in active directory which is actually bsmith@domain.org so the AD Query fails to return any results.  
&nbsp;
I have read that I need to be using LDAP Query instead of AD Query but it fails as well since the session logon that kerberos generates doesn't match the actual UPN.&nbsp;
Do I need to create a custom variable in APM that removes the @DOMAIN.LCL from the session.logon.last.username then do my AD Query off of just bsmith.  
&nbsp;
If that is the case how would I go about doing that?&nbsp;
Any other suggestions would be much appreciated!&nbsp;
Thanks for your help!&nbsp;

nolan_jensen · Answer

For anyone else who may come across this question I wanted to let you know what I did to get it working.&nbsp;
In my Access policy I added a variable assign after the successful Kerberos auth took place.  
&nbsp;
Variable assign:
session.custom.UPN = expr { [lindex [split [mcget {session.logon.last.username}] "@"] 0] }&nbsp;
Changed my AD Query from: sAMAccountName=%{session.logon.last.username} &nbsp;
to: sAMAccountName=%{session.custom.UPN}&nbsp;
What did these changes do? Creating a custom variable took the session.logon.last.username variable that was created from kerberos auth and changed it from bsmith@DOMAIN.LCL to just bsmith.  I then was able to use the new custom variable session.custom.UPN (which was bsmith) and query AD since that would be found as it was no longer looking for the UPN bsmith@DOMAIN.LCL which in AD was now bsmith@domain.org.&nbsp;

stan_piron · Answer

Hi,&nbsp;
Username provided with Kerberos IS NOT UPN!&nbsp;
This is the same format but not the same!&nbsp;
Kerberos username is sAMAccountName@REALM&nbsp;

Forum Discussion

Kerberos Auth with alternate UPN suffix

2 Replies

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

ASM attack signatures not syncing between active and standby F5

Hardware BIG-IP appliance reach EOSS, but the software version running on it not yet?

VPN Communication Error with F5 BIG-IP Edge Client

simultaneous disabling / enabling of all LTM objects

Query on source IP preservation for syslog traffic through F5 virtual server

Related Content

The Ingress NGINX Alternative: F5 NGINX Ingress Controller for the Long Term

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

In F5 APM, how to include multiple DNS suffix?

F5 RHI Solution an alternative to GSLB load balancing between Datacenters

Kerberos is Easy - Part 2

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS