Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Nelgin_Nepolean's avatar
Nelgin_Nepolean
Icon for Nimbostratus rankNimbostratus
Nov 01, 2016

Kerberos: can't get S4U2Self ticket for user Exch2016@MYDOMAIN.COM - Server not found in Kerberos database (-1765328377)

We are publishin Exchange 2016 in F5 APM. We are facing an issue for Outlook Anywhere as NTLM authentication is used. I have used latest available iApp for the exchange 2016 deployment and followed d...
application delivery
BIG-IP Access Policy Manager (APM)
iApps
kerberos
ntlm
stan_piron's avatar
stan_piron
Icon for Cumulonimbus rankCumulonimbus
Nov 02, 2016

Hi,

 

I think your wrong with SPN configuration.

 

In AD, only Service can have delegation role, not User. adding SPN (ServicePrincipalName) to a user give it the delegation role capability.

 

the delegation account must be:

 

  • sAMAccountName : svc_apm.abc.net
  • UserprincipalName : host/svc_apm.abc.net@abc.net
  • ServicePrincipalName = host/svc_apm.abc.net

the setspn command configure SPN from command line. In a comment, you told of setspn with SPN host/mail.company.com... this is not the good configuration.

 

Then for your exchange account, you must configure the following configuration

 

  • sAMAccountName : svc_exchange
  • UserprincipalName : svc_exchange@abc.net
  • ServicePrincipalName = host/mail.mydomain.com

Then in delegation account, add delegation to service svc_exchange. it will display all SPN including http/mail.mydomain.com

 

to display user SPN list, you can add attribute editor tab in user properties. to add this tab, enabled View/Advanced Features in Active Directory Users and Computers

 

then, you can view and edit servicePrincipalName attribute for every users.

 

When deploying new customers, I don't use setspn anymore because it's easier to understand what I do with attribute editor. setspn does not add the right to access this server but only give a service name to a user.