Forum Discussion
Kerberos SSO Clients Not Getting Ticket
- Apr 25, 2018
The other answer showed me the problem. In our testing, we were going directly to the virtual server IP instead of the FQDN. Since the IP didn't match what was in the UPN it was failing kerberos. As soon as we entered the FQDN as the URL everything worked fine.
Hello Robert,
I understand your issue, to sum up, you have on service as IDP that authenticate user (kerberos). you have copied the VPE and attached this new vpe to a new services.
it's quite normal that it does not work, because of kerberos. let me explain.
Actual service idp1.mydomain.com
Copied service idp2.mydomain.com
In the VPE of service idp2 you have to create a new Keytab with the following spn HTTP/idp2.mydomain.com.
You have to now that kerberos use dns record in its auth process. when you try to reach/auth in idp2, you system will follow this steps:
- a record of idp2.mydomain.com --> ex: 1.1.1.2
- ptr of 1.1.1.2 --> idp2.mydomain.com
- check if spn HTTP/idp2.mydomain.com
The problem is that spn idp2 don't exist and the keytab attached to idp2 vpe is not valid because it's spn used by idp1...
Let me now if it's clear for you and if you need additional help.
Regards
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com