Kerberos SSO with alternative UPN

Question

Hello all,&nbsp;
I'm wondering if some bright spark out there might be able to help me out!&nbsp;
I've got an access profile set up working brilliantly with kerberos. It grabs a token and delegates and does everything as it should do except for one thing; When I attempt to login using an alternative UPN it freaks out and can't get a token for the user. For example:&nbsp;
Say the domain FQDN is: mydomain.local&nbsp;
and my user is called: Bob&nbsp;
&nbsp;
I can login using Bob@mydomain.local and that works fine, but if I change the UPN for the user so that the UPN is now Bob@Differentdomain.com then it fails to grab a ticket for the user. The APM log states "can't get S4U2Self ticket for user Bob@DIFFERENTDOMAIN.COM - Server not found in Kerberos database (-1765328377)"&nbsp;
 &nbsp;
I'm sure there is something silly I am missing out or have failed to do, any ideas? Thanks in advance! :)&nbsp;
Cheers,&nbsp;
Adem&nbsp;
 &nbsp;
p.s. I tried creating a new delegate user in my active directory for F5 (i.e. host/apm.Differentdomain.com) but I don't understand how I can attach multiple Kerberos SSO profiles to a single access profile? Am I trying to solve this the wrong way?&nbsp;

tll_91858 · Answer

Adem,&nbsp;
Using APM for Kerberos cross-domain authentication can be challenging.  I have just finished working one myself.  Have you resolved your issues here?&nbsp;
Tom&nbsp;

angrycat_52750 · Answer

i am trying to do the same thing but with different URLS..
i have different VIPs and access policies and different SSO delegation account for each..
at the start of the day, one site will work and the other wont.. and i get the 
"Kerberos: can't get S4U2Self ticket for user ‎" error message in the log....&nbsp;

kevin_stewart · Answer

Kulastone, your problem may actually be different than the originator's. The original problem is that APM Kerberos does not (yet) support enterprise canonical referrals. This is where a Kerberos client, understanding that the realm name doesn't match a known realm, will send an enterprise canonical request to its local KDC. The KDC will then go find the user (via global catalog and/or LDAP search) and return a referral (like a CNAME for Kerberos) telling the client where the user lives. I've heard that it's coming soon, but can't say when. A common workaround is to simply perform your own LDAP search and use the returned sAMAccountName and real domain realm in your Kerberos SSO (instead of the userPrincipalName). Works like a charm. Otherwise I wouldn't really say cross-domain Kerberos with APM is all that challenging - no more so than Kerberos itself. As long as 1) you use the real realm names of the users, 2) the delegation account is in the SAME REALM as the resource, 3) there is a two-way transitive trust between the domains (a protocol requirement), and 4) APM knows how to talk to these realms, you should be good to go.&nbsp;
As for your issue, can you elaborate?&nbsp;

Forum Discussion

Kerberos SSO with alternative UPN

3 Replies

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

F5 Big-IP Trust Internal CA Chain certificates for Web Servers

Expired client-certificate

Need to make 2 Virtual Appliance in r4600 F5

SOLVED: sending IsCompliant, IsKnown and IsManaged via SAML (SSO)

BIG-IP methods to Fix the “421 Misdirected Request” Error

Related Content

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

F5 RHI Solution an alternative to GSLB load balancing between Datacenters

Kerberos is Easy - Part 2

HTTP throttle alternative

Kerberos Is Easy - Part 1

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS