Forum Discussion
superd_88943
Nimbostratus
NimbostratusKerberos SSO without APM
Hi all,
Im wondering is it possible to get Kerberos SSO working via standard LTM VIP, without the use of APM (which im assuming is an extra add-on)?
If i connect to the servers direct, SSO ...
Kevin_Stewart
Employee
EmployeeIn a word, no.
The problem is, as you've discovered with the websense proxy, that your client has to request a ticket for the correct service principal name (SPN), and it only knows that name by the URL it types into the browser. So your VIP FQDN has to mimic the backend server's SPN. You can do the exact same thing with an LTM VIP. If you want the device to proxy Kerberos, as in request tickets on the client's behalf to a SPN that is not the FQDN of the frontend VIP, then you need APM.
