Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Dev_56330's avatar
Dev_56330
Icon for Cirrus rankCirrus
Oct 22, 2015

Kerberos Authentication with different UPN than Kerberos Realm

Using the Exchange 2013 iApp to allow the big ip (v12.0) load balance a pool of Client Access Servers with APM providing authentication, users are receiving Matching Credentials Cannot be Found after...
BIG-IP Access Policy Manager (APM)
kerberos
microsoft
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 22, 2015

APM Kerberos SSO doesn't currently support Kerberos "canonical enterprise referrals", that is it can't chase a referral sent by the KDC for another realm. I'm assuming your "@nnn" is an alternate UPN suffix in the same domain, but this still requires canonical referrals. What you need to do to make this work is to specify the user's real name and real domain. And since the user's real userPrincipalName contains the alias realm, you have to send the sAMAccountName value instead. Your access policy might then look something like this:

start -> on demand cert auth -> ocsp auth -> LDAP query -> variable assign -> allow

where the LDAP query looks up the user's sAMAccountName value based on the userPrincipalName. The variable assign puts the returned username value into the right username session variable for the SSO profile. Example:

session.sso.token.last.username = return [mcget {session.ldap.last.attr.sAMAccountName}]

Or you can alternatively skip the variable assign and make session.ldap.last.attr.sAMAccountName the input username source variable within the SSO profile.