Forum Discussion

Julio_Navarro's avatar
Julio_Navarro
Icon for Cirrostratus rankCirrostratus
Mar 26, 2015

Kerberos Caching Option

Hello;

 

I have successfully have my users authenticating using Kerberos based on the following document:

 

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/9.html

 

Now, my question is it possible to cache the Kerberos request against Active Directory (AD) in the LTM shortening the authentication process? Lets for example, keep that valid user for 1 hour?

 

Thank you

 

J

 

application delivery
BIG-IP Access Policy Manager (APM)
LTM
security

1 Reply

  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Mar 26, 2015

    The default ticket lifetime is 600 minutes (10 hours) in the SSO > Kerberos configuration. The online help shows the following for the "Ticket Lifetime" settings.

    Displays, in minutes (for example, 600 minutes would equate to 10 hours), the lifetime of Kerberos tickets obtained for the user. The value represents the maximum ticket lifetime, and the actual lifetime may be less by up to 1 hour. This is because user's ticket lifetime is the same as TGT lifetime. The TGT is a Kerberos Ticket Granting Ticket obtained for the delegation account specified in this configuration. The new TGT is fetched every time when current the TGT for that account is older than one hour. The new TGT can be fetched only when an SSO request is processed. The minimum lifetime that can be specified is 10 minutes. There is no maximum; however, most AD domains have this set to 10 hours (600 minutes), and you should not set the ticket lifetime in SSO configuration above what is specified in AD. The default value is 600 minutes.

    I hope this helps!

    Seth

Related Content