Forum Discussion

MD_'s avatar
MD_
Icon for Nimbostratus rankNimbostratus
Feb 08, 2017

Kerberos SSO : Server not found in Kerberos database (-1765328377)

Hi,   I am trying to configure Kerberos SSO between F5/APM ans IIS. I am getting this error message :   Feb 8 18:17:00 bigip12 info websso.3[2776]: 014d0011:6: /Common/Kerb:Common:7828fdf8: We...
application delivery
BIG-IP Access Policy Manager (APM)
kerberos
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Feb 08, 2017

Hi MD,

the KDC error 

-1765328377
refers to 
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
and means that the domain controller was unable to find an matching service account for this Service Principal Name (SPN).

Please check if the Service Principal Name 

HTTP/iis.ad.test.fr
is registered in Activce Directory and that this name is either linked to the service account of your IIS web application (in thew case that IIS Kernel mode caching is disabled) or to the computer account hosting the IIS service (if Kernel mode caching is enabled or if the website is running under a system identity like network service, local system, etc.)

C:\Windows\system32>setspn -Q HTTP/iis.ad.test.fr

The next step would be to check if LTM's service account is already allowed to perform a Kerberos Protocol Transition and Contrained Delegation to this SPN. But lets see if the addition of the SPN already resolves your problem...

Cheers, Kai