Hi all...I am setting up a new BIG-IP environment (v.11.5.1) to front multiple backend services. What is the simplest way to have multiple services (i.e. webservice1.company.com, webservice2.complany...
I don't have my Kerberos testing lab up and running, so can't say specifically if that is an issue. The bad match error does indicate that the target KDC doesn't like something in the ticket though. I'd check the following things:
That transitive (two-way) trust is correctly established
That you're actually talking to the correct target domain KDC
That your delegation account is identified by a userPrincipalName and not a sAMAccountName. I didn't mention this earlier, but it's imperative that the Kerberos SSO delegation account is specified using a UPN format account@domain' versus 'domain\account' or simply 'account'.