For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

boneyard's avatar
boneyard
Icon for MVP rankMVP
Jun 19, 2013

mixing SSO methods, i.e. ntlm, basic http and kerberos

i was wondering if i can freely mix SSO methods with a webtop implementation. currently im using NTLMV2 and HTTP basic together by configuring different SSO profiles on the portal access resources. t...
BIG-IP Access Policy Manager (APM)
remote access
security
boneyard's avatar
boneyard
Icon for MVP rankMVP
Jun 25, 2013

im not quite getting there:

 

Websso Kerberos authentication for user 'user' using config '/DMZ/sso-kerberos'

 

adding item to WorkQueue

 

sid: ctx:0x92384d8 server address = ::ffff:192.168.8.21

 

sid: ctx:0x92384d8 SPN = HTTP/ext-hostname.domain.uk@DOMAIN.UK

 

S4U ======> ctx: , sid: 0x92384d8, user: user@DOMAIN.UK, SPN: HTTP/ext-hostname.domain.uk@DOMAIN.UK

 

Kerberos: Failed to get ticket for user user@DOMAIN.UK

 

failure occurred when processing the work item

 

as im not quite sure were to check id like to double check some things:

 

on the SSO profile should be user be in the format host\delegation_user.domain ? or just delegation_user

 

should on AD side be HTTP/ext-hostname.domain.uk@DOMAIN.UK allowed as service? or is HTTP/ext-hostname enough?

 

although the SPN appears to be HTTP/ext-hostname.domain.uk@DOMAIN.UK the actual website is hostname.domain.uk, is that an issue?