Forum Discussion

Nimbostratus

Mar 18, 2013

Kerberos SSO with two realms

I am working on a solution depicted in the attached file. Clients are expected to authenticate with a Form-Based front-end provided by F5 APM and using a back-end Active Directory forest ...

config

design

Kevin_Stewart

Employee

Mar 22, 2013

East Coast, you may already know this, but for the larger audience, your suspicions were correct. Kerberos S4U does in fact require a two-way trust between domains/forests.

http://support.microsoft.com/?kbid=954739

http://msdn.microsoft.com/en-us/magazine/cc188757.aspx

Thanks to some internal F5 folks for finding these articles. I wasn't sure either.

That said, I see a potential alternative. Given that you're authenticating the user via form logon, you have the credentials (and I assume the domain) to perform an HTTP Basic or NTLM authentication to the web server.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Kerberos SSO with two realms

Tyler - May 2026 Featured Member

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

Recent Discussions

Big-IQ: VS connection/pool stats visible, but Virtual Server health status not displayed

Functionality questions regarding commands that we're using in a DNS_REQUEST related iRule

ISP Link Load Blancing Use Case

F5 VCMP guest shutdown and decommissioning

shame on f5

Related Content

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

Kerberos is Easy - Part 2

Kerberos Is Easy - Part 1

APM Cookbook: Single Sign On (SSO) using Kerberos

Kerberos Authentication Failing for Exchange 2016 Behind F5 Cloud WAF

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS