Forum Discussion

Nimbostratus

May 21, 2014

Kerberos delegation and short names problem

Hi, I have a problem with kerberos delegation and short dns names (netbios names?). A client wants to set up AD auth and kerberos SSO to their sharepoint applications. The applications use short na...

BIG-IP Access Policy Manager (APM)

Employee

May 21, 2014

It is somewhat unfortunate that AD SPNs would be created that way, but not the first time I've seen that. The most robust solution would definitely be to change the SPNs in the directory. It works now, but sooner or later they'll discover other issues. The second option might be to change the DNS entry. APM Kerberos SSO performs a reverse DNS lookup against the load balanced IP address to get the name of the host, then adds "http/" to the front and "@DOMAIN.COM" to the end to create the SPN string it'll use to make a Kerberos request. If the reverse DNS lookup for any given host IP address is the fully qualified domain name, then that's what the SPN will look like. Third option might be to spoof the names locally. For every pool member, create a local Hosts entry on the BIG-IP that reflects the short name. Then in the Kerberos SSO profile, under the SPN Pattern section, enter a wildcard SPN pattern:

http/%s@DOMAIN.COM

The SSO will use this value instead of performing the DNS query.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Kerberos delegation and short names problem

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Cisco TACACS+ Config on ISE LTM Pair

iRule causing requests to be duplicated (sometimes)

SSL Bridging and FQDN rewrite Policy

How can I get started with iCall

Checking for X-Forwarded-For against an Address Data-Group

Related Content

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

Lightboard Lessons: Kerberos Delegation & Protocol Transition

Configuring Smart Card Authentication and Kerberos Constrained Delegation in F5 Access Policy Manager (APM)

Single-Sign-On mit Kerberos Constrained Delegation

F5 Distributed Cloud - Automatic TLS Certificate Generation - Non-Delegated DNS Zone

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS