Forum Discussion

Doug_Pruiett_24's avatar
Doug_Pruiett_24
Icon for Nimbostratus rankNimbostratus
Feb 08, 2016

Multiple Windows Authentication Prompts after F5 Authentication

I am not the principle engineer on this issue, nor an F5 expert. I am part of a project that uses F5 and doing a little research to see if I can find help for an issue we are having.   The desire...
Secure Web Gateway
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 08, 2016

APM Kerberos SSO will only intercept the 401 if you have the Send Authorization setting in the Kerberos SSO profile set to "On 401 Status Code". The "Always" option will send a preemptive Kerberos ticket. In either case, SSO must know how to retrieve a ticket to a give service, which is where I believe the problem lies. Before digging into the ugly details, let's establish that a service must be associated with a declared by a unique** service principal name (SPN), that SSO must be able to derive/find this SPN, and that the AD delegation account be able to delegate to that SPN. So in your SSO,

 

  1. Do you have a SPN pattern defined?
  2. Does the target service have a defined and unique SPN?
  3. Does the hostname in that SPN reverse resolve in AD DNS?