For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Stefan_Schnyder's avatar
Stefan_Schnyder
Icon for Nimbostratus rankNimbostratus
Nov 20, 2012

Kerberos SSO issues

Hello F5 Community   I'm the appointed admin of our new F5 BIG-IP appliances (11.2.1) at our company. I'm trying to get Kerberos SSO to work but some things I just can't get right. I've read a lot...
config
design
Stefan_Schnyder's avatar
Stefan_Schnyder
Icon for Nimbostratus rankNimbostratus
Nov 22, 2012
Kevin,

 

 

Thank you very much for you reply. That cleared up a lot of things.

 

 

I removed the Basic Auth branch as you said. I didn't realize I could do that.

 

 

Also I thought the SSO credential mapping was there to tell the BIG-IP to store the Kerberos ticket, so it could be presented to the MSSP server afterwards.

 

When I remove it, I get a lot of messages in the session log saying that an SSO name could not be found and that SSO is disabled. Can I ignore these? Normally, I'd think that something wouldn't work if the log has warnings & errors.

 

 

I knew that 12345@ZHAW.CH@ZHAW.CH couldn't work, but I didn't know what to do with it. I thought that with the option 'Split the domain from full username' enabled, the initial 12345@ZHAW.CH would become 12345. It seems however, that this only happens with the SSO credential mapping in the AP.

 

 

I think client side Kerberos works already they way we've got it configured. I need to have a look at the server side, though. I'm not sure if the two session variables are acquired correctly.

 

 

I'll tell you my results.

 

 

Thanks again,

 

Stefan