Forum Discussion

Nimbostratus

Mar 06, 2014

Kerberos: can't get TGT for HOST/abc@abc.com - Realm not local to KDC

Hi There, I am trying to get the Kerberos constrained delegation to work, where the client authentication is done via certficate with the BIGIP. The BIGIP uses the further via Kerberos SSO to au...

BIG-IP Access Policy Manager (APM)

deployment

security

Kevin_Stewart

Employee

Mar 06, 2014

Two things:

The session.ssl.cert.subject is rarely ever just username@domain.com, but usually a full DN string. Are you parsing the username out of the subject?
You need to split the username@domain.com into two values (at the "@"): the username source for Kerberos SSO should just be the username, and the realm source should either be the cert realm or a statically assigned realm.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Kerberos: can't get TGT for HOST/abc@abc.com - Realm not local to KDC

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

SSL Bridging and FQDN rewrite Policy

Cisco TACACS+ Config on ISE LTM Pair

iRule causing requests to be duplicated (sometimes)

How can I get started with iCall

Checking for X-Forwarded-For against an Address Data-Group

Related Content

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

Kerberos is Easy - Part 2

Kerberos Is Easy - Part 1

APM Cookbook: Single Sign On (SSO) using Kerberos

Kerberos Authentication Failing for Exchange 2016 Behind F5 Cloud WAF

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS