Forum Discussion

Nelgin_Nepolean's avatar
Nelgin_Nepolean
Icon for Nimbostratus rankNimbostratus
Nov 01, 2016

Kerberos: can't get S4U2Self ticket for user Exch2016@MYDOMAIN.COM - Server not found in Kerberos database (-1765328377)

We are publishin Exchange 2016 in F5 APM. We are facing an issue for Outlook Anywhere as NTLM authentication is used. I have used latest available iApp for the exchange 2016 deployment and followed d...
application delivery
BIG-IP Access Policy Manager (APM)
iApps
kerberos
ntlm
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 02, 2016

Example: ABC/exch2016 or exchange2016@mydomain.com

 

I'm probably splitting hairs here, but you seem to be using "mydomain.com" and "ABC" interchangeably. My point is, if the domain name is "ABC.NET", is the user principal name for that account @abc.net, or is it @mydomain.net (as in not the same as the domain name)?

 

I ask because using a UPN realm alias requires an extension to the Kerberos protocol that APM Kerberos SSO currently does not have. If the UPN realm and domain name are different, you have to inject the user's sAMAccountName as the SSO username source and the real domain name (ABC.NET) as the SSO domain realm source.